major-updates-sep-2023 (#85)

Co-authored-by: Rodrigo Santos <[email protected]>

docs/content/contributing/_index.md

@@ -1,7 +1,7 @@
 +++
 title = "Contributing"
 description = "Contribution Guide for the Azure Proactive Resiliency Library (APRL)"
-weight = 2
+weight = 3
 +++
 {{< panel title="Contributions Notice" style="warning" >}} Currently we can only accept contributions from Microsoft FTEs. In the future we will look to change this. {{< /panel >}}
 

docs/content/services/container/azure-container-registry/code/cr-1/cr-1.kql

@@ -3,5 +3,5 @@
 resources
 | where type =~ "microsoft.containerregistry/registries"
 | where sku.name != "Premium"
-| project recommendationId = "cr-1", name, id
+| project recommendationId = "cr-1", name, id, param1=strcat("SkuName: ", tostring(sku.name))
 | order by id asc

docs/content/services/container/azure-container-registry/code/cr-2/cr-2.kql

@@ -2,6 +2,6 @@
 // Find all Container Registries that do not have zone redundancy enabled
 resources
 | where type =~ "microsoft.containerregistry/registries"
-| where properties.zoneRedundancy == "Disabled"
-| project recommendationId = "cr-2", name, id
+| where sku.name != "Premium" or properties.zoneRedundancy != "Enabled"
+| project recommendationId = "cr-2", name, id, param1=strcat("zoneRedundancy: ", tostring(properties.zoneRedundancy))
 | order by id asc

docs/content/services/networking/Application Gateway/code/appgw-1/appgw-1.kql

@@ -1,4 +1,7 @@
-Resources
-| where type == "microsoft.network/applicationGateways"
-| where properties.capacity.autoScaleConfiguration != null
-| where properties.capacity.autoScaleConfiguration.minCapacity >= 2
+// Azure Resource Graph Query
+// This query will return all Application Gateways that do not have autoscale enabled or have a min capacity of 1
+resources
+| where type =~ "microsoft.network/applicationGateways"
+| where isnull(properties.capacity.autoScaleConfiguration) or properties.capacity.autoScaleConfiguration.minCapacity <= 1
+| project recommendationId = "appgw-1", name, id, param1 = "autoScaleConfiguration: isNull or MinCapacity <= 1"
+| order by id asc

docs/content/services/networking/Application Gateway/code/appgw-3/appgw-3.kql

@@ -1,4 +1,7 @@
+// Azure Resource Graph Query
+// This query will return all Application Gateways that do not have WAF enabled
 Resources
-| where type == "microsoft.network/applicationGateways"
-| where properties.webApplicationFirewallConfiguration != null
-| project name, waf_enabled = tobool(properties.webApplicationFirewallConfiguration.enabled)
+| where type =~ "microsoft.network/applicationGateways"
+| where isnull(properties.webApplicationFirewallConfiguration)
+| project recommendationId = "appgw-3", name, id, param1 = "webApplicationFirewallConfiguration: isNull"
+| order by id asc

docs/content/services/networking/Application Gateway/code/appgw-4/appgw-4.kql

@@ -1,6 +1,8 @@
-Resources
-| where type == "microsoft.network/applicationGateways"
+// Azure Resource Graph Query
+// This query will return all Application Gateways in your Azure environment and will identify if they are v1 or v2
+resources
+| where type =~ "microsoft.network/applicationGateways"
 | extend sku = tolower(tostring(properties.sku.name))
-| extend is_v2 = iif(startswith(sku, "standard_v2"), true, false)
-| extend is_v1 = iif(startswith(sku, "standard"), not(is_v2), false)
-| project name, is_v1, is_v2
+| where sku != "waf_v2" and sku != "standard_v2"
+| project recommendationId = "appgw-4", name, id, param1 = "sku: v1"
+| order by id asc

docs/content/services/networking/network-security-group/_index.md

@@ -0,0 +1,153 @@
++++
+title = "Network Security Group"
+description = "Best practices and resiliency recommendations for Network Security Group and associated resources and settings."
+date = "9/19/23"
+author = "rodrigosantosms"
+msAuthor = "rodrigosantosms"
+draft = false
++++
+
+The presented resiliency recommendations in this guidance include Network Security Group and associated resources and settings.
+
+## Summary of Recommendations
+
+{{< table style="table-striped" >}}
+| Recommendation                                                                                                                                                                |  Category         |  Impact   |  State     | ARG Query Available |
+| :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------:  | :------:  | :------:   | :-----------------: |
+| [NSG-1 - Configure Diagnostic Settings for all Azure Resources](#nsg-1---configure-diagnostic-settings-for-all-azure-resources)                                               | Monitoring        |  Medium   | Preview    |     No          |
+| [NSG-2 - Monitor changes in Network Security Groups with Azure Monitor](#nsg-2---monitor-changes-in-network-security-groups-with-azure-monitor)                               | Monitoring        |     Low   | Preview    |     No          |
+| [NSG-3 - Monitor changes in Network Security Groups with Azure Monitor](#nsg-3---configure-locks-for-network-security-groups-to-avoid-accidental-changes-andor-deletion)      | Governance        |     Low   | Preview    |     No          |
+| [NSG-4 - Monitor changes in Network Security Groups with Azure Monitor](#nsg-4---configure-nsg-flow-logs)                                                                     | Monitoring        |  Medium   | Preview    |     Yes          |
+| [NSG-5 - Monitor changes in Network Security Groups with Azure Monitor](#nsg-5---the-nsg-only-has-default-security-rules-make-sure-to-configure-the-necessary-rules)          | Access & Security |  Medium   | Preview    |     Yes          |
+{{< /table >}}
+
+{{< alert style="info" >}}
+
+Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}})
+
+{{< /alert >}}
+
+## Recommendations Details
+
+### NSG-1 - Configure Diagnostic Settings for all Azure Resources
+
+**Category: Monitoring**
+
+**Impact: Medium**
+
+**Recommendation/Guidance**
+
+Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.
+
+**Resources**
+
+- [Diagnostic settings in Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/nsg-1/nsg-1.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>
+
+### NSG-2 - Monitor changes in Network Security Groups with Azure Monitor
+
+**Category: Monitoring**
+
+**Impact: Low**
+
+**Recommendation/Guidance**
+
+Create Alerts for administrative operations such as Create or Update Network Security Group rules with Azure Monitor to detect unauthorized/undesired changes to production resources, this alert can help identify undesired changes in the default security, such as attempts to by-pass firewalls or from accessing resources externally.
+
+**Resources**
+
+- [Azure Monitor activity log](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log?tabs=powershell)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/nsg-2/nsg-2.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>
+
+### NSG-3 - Configure locks for Network Security Groups to avoid accidental changes and/or deletion
+
+**Category: **
+
+**Impact: Medium**
+
+**Recommendation/Guidance**
+
+As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions.
+You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only.
+
+**Resources**
+
+- [Lock your resources to protect your infrastructure](https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?toc=%2Fazure%2Fvirtual-network%2Ftoc.json&tabs=json)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/nsg-3/nsg-3.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>
+
+### NSG-4 - Configure NSG Flow Logs
+
+**Category: Monitoring**
+
+**Impact: Medium**
+
+**Recommendation/Guidance**
+
+It's vital to monitor, manage, and know your own network so that you can protect and optimize it. You need to know the current state of the network, who's connecting, and where users are connecting from. You also need to know which ports are open to the internet, what network behavior is expected, what network behavior is irregular, and when sudden rises in traffic happen.
+
+Flow logs are the source of truth for all network activity in your cloud environment. Whether you're in a startup that's trying to optimize resources or a large enterprise that's trying to detect intrusion, flow logs can help. You can use them for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions, and more.
+
+**Resources**
+
+- [Flow logging for network security groups](https://learn.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-overview)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/nsg-4/nsg-4.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>
+
+### NSG-5 - The NSG only has Default Security Rules, make sure to configure the necessary rules
+
+**Category: Access & Security**
+
+**Impact: Medium**
+
+**Recommendation/Guidance**
+
+You can use an Azure network security group to filter network traffic between Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
+
+**Resources**
+
+- [Security rules](https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview#security-rules)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/nsg-5/nsg-5.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>

docs/content/services/networking/network-security-group/code/nsg-1/nsg-1.kql

@@ -0,0 +1,2 @@
+// Azure Resource Graph Query
+// Under development

docs/content/services/networking/network-security-group/code/nsg-2/nsg-2.kql

@@ -0,0 +1,2 @@
+// Azure Resource Graph Query
+// Under development

docs/content/services/networking/network-security-group/code/nsg-3/nsg-3.kql

@@ -0,0 +1,2 @@
+// Azure Resource Graph Query
+// Under development

docs/content/services/networking/network-security-group/code/nsg-4/nsg-4.kql

@@ -0,0 +1,6 @@
+// Azure Resource Graph Query
+// This query will return all NSGs that do not have flow logs enabled
+resources
+| where type =~ "microsoft.network/networksecuritygroups"
+| where isnull(properties.flowLogs)
+| project recommendationId = "nsg-4", name, id, param1 = "NSG Flow Logs Disabled"

docs/content/services/networking/network-security-group/code/nsg-5/nsg-5.kql

@@ -0,0 +1,7 @@
+// Azure Resource Graph Query
+// This query will return all NSGs that have NO security rules
+resources
+| where type =~ "microsoft.network/networksecuritygroups"
+| extend sr = string_size(properties.securityRules)
+| where sr <=2 or isnull(properties.securityRules)
+| project recommendationId = "nsg-5", name, id

docs/content/services/networking/network-watcher/_index.md

@@ -0,0 +1,75 @@
++++
+title = "Network Watcher"
+description = "Best practices and resiliency recommendations for Network Watcher and associated resources and settings."
+date = "9/19/23"
+author = "rodrigosantosms"
+msAuthor = "rodrigosantosmsS"
+draft = false
++++
+
+The presented resiliency recommendations in this guidance include Network Watcher and associated resources and settings.
+
+## Summary of Recommendations
+
+{{< table style="table-striped" >}}
+| Recommendation                                                                                                                                                      |  Category      |  Impact   |  State      | ARG Query Available |
+| :------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :------------: | :------:  | :------:    | :-----------------: |
+| [NW-1 - Deploy Network Watcher in all regions where you have networking services](#nw-1---deploy-network-watcher-in-all-regions-where-you-have-networking-services) | Monitoring     |  Low      | Preview     |         Yes         |
+| [NW-2 - Fix Flow Log configurations in Failed state or Disabled Status](#nw-2---fix-flow-log-configurations-in-failed-state-or-disabled-status)                     | Monitoring     |  Low      | Preview     |         Yes          |
+{{< /table >}}
+
+{{< alert style="info" >}}
+
+Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}})
+
+{{< /alert >}}
+
+## Recommendations Details
+
+### NW-1 - Deploy Network Watcher in all regions where you have networking services
+
+**Category: Monitoring**
+
+**Impact: Low**
+
+**Recommendation/Guidance**
+
+Azure Network Watcher provides a suite of tools to monitor, diagnose, view metrics, and enable or disable logs for Azure IaaS (Infrastructure-as-a-Service) resources. Network Watcher enables you to monitor and repair the network health of IaaS products like virtual machines (VMs), virtual networks (VNets), application gateways, load balancers, etc. Network Watcher isn't designed or intended for PaaS monitoring or Web analytics.
+
+**Resources**
+
+- [What is Azure Network Watcher?](https://learn.microsoft.com/azure/network-watcher/network-watcher-overview)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/nw-1/nw-1.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>
+
+### NW-2 - Fix Flow Log configurations in Failed state or Disabled Status
+
+**Category: Monitoring**
+
+**Impact: Low**
+
+**Recommendation/Guidance**
+
+Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. If the flow log is in Failed state, the monitoring data from the associated resource is not being collected.
+
+**Resources**
+
+- [Manage NSG flow logs using the Azure portal](https://learn.microsoft.com/azure/network-watcher/nsg-flow-logging)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/nw-2/nw-2.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>

docs/content/services/networking/network-watcher/code/nw-1/nw-1.kql

@@ -0,0 +1,9 @@
+// Azure Resource Graph Query
+// This query will return all locations that do not have a Network Watcher deployed
+resources
+| where location != "global"
+| union (Resources
+    | where type =~ "microsoft.network/networkwatchers")
+| summarize NetworkWatcherCount = countif(type =~ 'Microsoft.Network/networkWatchers') by location
+| where NetworkWatcherCount == 0
+| project recommendationId = "nw-1", name=location, id="n/a", param1 = strcat("LocationMisingNetworkWatcher:", location)

docs/content/services/networking/network-watcher/code/nw-2/nw-2.kql

@@ -0,0 +1,10 @@
+// Azure Resource Graph Query
+// This query will return all Network Watcher Flow Logs that are not enabled or in a succeeded state
+resources
+| where type =~ "microsoft.network/networkwatchers/flowlogs" and isnotnull(properties)
+| extend targetResourceId = tostring(properties.targetResourceId)
+| extend status = iff(properties.enabled =~ 'true', "Enabled", "Disabled")
+| extend provisioningState = tostring(properties.provisioningState)
+| extend flowLogType = iff(properties.targetResourceId contains "Microsoft.Network/virtualNetworks", 'Virtual network', 'Network security group')
+| where provisioningState != "Succeeded" or status != "Enabled"
+| project recommendationId = "nw-2", name, id, param1 = strcat("provisioningState:", provisioningState), param2=strcat("Status:", status), param3=strcat("targetResourceId:",targetResourceId), param4=strcat("flowLogType:",flowLogType)

docs/content/services/networking/private-endpoints/_index.md

@@ -0,0 +1,50 @@
++++
+title = "Private Endpoints"
+description = "Best practices and resiliency recommendations for Private Endpoints and associated resources and settings."
+date = "9/19/23"
+author = "CHANGE ME TO YOUR GITHUB USERNAME"
+msAuthor = "CHANGE ME TO YOUR MICROSOFT ALIAS"
+draft = false
++++
+
+The presented resiliency recommendations in this guidance include Private Endpoints and associated resources and settings.
+
+## Summary of Recommendations
+
+{{< table style="table-striped" >}}
+| Recommendation                                                                                                                                                      |  Category       |  Impact     |  State    | ARG Query Available |
+| :------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :-------------: | :------:    | :------:  | :-----------------: |
+| [PEP-1 - Resolve issues with Private Endpoints in non Succeeded connection state](#pep-1---resolve-issues-with-private-endpoints-in-non-succeeded-connection-state) | Networking      | Medium      | Preview   |         Yes         |
+{{< /table >}}
+
+{{< alert style="info" >}}
+
+Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}})
+
+{{< /alert >}}
+
+## Recommendations Details
+
+### PEP-1 - Resolve issues with Private Endpoints in non Succeeded connection state
+
+**Category: Networking**
+
+**Impact: Medium**
+
+**Recommendation/Guidance**
+
+A private endpoint has two custom properties, static IP address and the network interface name. These properties must be set when the private endpoint is created. I the state is not in Succeeded state, there might be a problem with the private endpoint or with the associated resource.
+
+**Resources**
+
+- [Private endpoint connections](https://learn.microsoft.com/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell#private-endpoint-connections)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/pep-1/pep-1.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>

docs/content/services/networking/private-endpoints/code/pep-1/pep-1.kql

@@ -0,0 +1,6 @@
+// Azure Resource Graph Query
+// This query will return all Private Endpoints that are not in a Succeeded state
+resources
+| where type =~ "microsoft.network/privateendpoints"
+| where properties.provisioningState != "Succeeded" or properties.privateLinkServiceConnections[0].properties.provisioningState != "Succeeded"
+| project recommendationId = "pep-1", name, id, param1 = strcat("provisioningState: ", tostring(properties.provisioningState)), param2 = strcat("provisioningState: ", tostring(properties.privateLinkServiceConnections[0].properties.provisioningState))