Azure · oZakari · Apr 4, 2024 · Mar 8, 2024 · Mar 18, 2024 · Apr 4, 2024
@@ -16,7 +16,7 @@ The below table shows the list of resiliency recommendations for Front Door and
 {{< table style="table-striped" >}}
 | Recommendation                                                                                                                                                      |     Category      | Impact |  State  | ARG Query Available |
 |:--------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------:|:------:|:-------:|:-------------------:|
-| [AFD-1 - Avoid combining Traffic Manager and Front Door](#afd-1---avoid-combining-traffic-manager-and-front-door)                                                   |    Networking     |  High  | Verified |         No          |
+| [AFD-1 - Avoid combining Traffic Manager and Front Door](#afd-1---avoid-combining-traffic-manager-and-front-door)                                                   |    Networking     |  High  | Verified |         Yes        |
 | [AFD-2 - Restrict traffic to your origins](#afd-2---restrict-traffic-to-your-origins)                                                                               | Access & Security |  High  | Verified |         No          |
 | [AFD-3 - Use the latest API version and SDK version](#afd-3---use-the-latest-api-version-and-sdk-version)                                                           |    Networking     | Medium | Verified |         No          |
 | [AFD-4 - Configure logs](#afd-4---configure-logs)                                                                                                                   |    Monitoring     | Medium | Verified |         No          |
@@ -26,8 +26,8 @@ The below table shows the list of resiliency recommendations for Front Door and
 | [AFD-8 - Use latest version for customer-managed certificates](#afd-8---use-latest-version-for-customer-managed-certificates)                                       | Access & Security | Medium | Verified |         No          |
 | [AFD-9 - Use the same domain name on Front Door and your origin](#afd-9---use-the-same-domain-name-on-front-door-and-your-origin)                                   |    Networking     | Medium | Verified |         No          |
 | [AFD-10 - Enable the WAF](#afd-10---enable-the-waf)                                                                                                                 | Access & Security | Medium | Verified |         No          |
-| [AFD-11 - Disable health probes when there is only one origin in an origin group](#afd-11---disable-health-probes-when-there-is-only-one-origin-in-an-origin-group) |   Availability    |  Low   | Verified |         No          |
-| [AFD-12 - Select good health probe endpoints](#afd-12---select-good-health-probe-endpoints)                                                                         |   Availability    | Medium | Verified |         No          |
+| [AFD-11 - Disable health probes when there is only one origin in an origin group](#afd-11---disable-health-probes-when-there-is-only-one-origin-in-an-origin-group) |   Availability    |  Low   | Verified |         Yes         |
+| [AFD-12 - Select good health probe endpoints](#afd-12---select-good-health-probe-endpoints)                                                                         |   Availability    | Medium | Verified |         Yes         |
 | [AFD-13 - Use HEAD health probes](#afd-13---use-head-health-probes)                                                                                                 | System Efficiency | Medium | Verified |         No          |
 | [AFD-14 - Use geo-filtering in Azure Front Door](#afd-14---use-geo-filtering-in-azure-front-door)                                                                   | Access & Security | Medium | Verified |         No          |
 | [AFD-15 - Secure your Origin with Private Link in Azure Front Door](#afd-15---secure-your-origin-with-private-link-in-azure-front-door)                             | Access & Security | Medium | Verified |         No          |

@@ -1 +1,30 @@
-// under-development
+// Azure Resource Graph Query
+// Avoid combining Traffic Manager and Front Door
+resources
+| where type == "microsoft.network/trafficmanagerprofiles"
+| mvexpand(properties.endpoints)
+| extend endpoint=tostring(properties_endpoints.properties.target)
+| project name, trafficmanager=id, matchname=endpoint, tags
+| join (
+    resources
+    | where type =~ "microsoft.cdn/profiles/afdendpoints"
+    | extend matchname= tostring(properties.hostName)
+    | extend splitid=split(id, "/")
+    | extend frontdoorid=tolower(strcat_array(array_slice(splitid, 0, 8), "/"))
+    | project name, id, matchname, frontdoorid, type
+    | union
+        (cdnresources
+        | where type =~ "Microsoft.Cdn/Profiles/CustomDomains"
+        | extend matchname= tostring(properties.hostName)
+        | extend splitid=split(id, "/")
+        | extend frontdoorid=tolower(strcat_array(array_slice(splitid, 0, 8), "/"))
+        | project name, id, matchname, frontdoorid, type)
+    )
+    on matchname
+| project
+    recommendationId = "afd-1",
+    name=split(trafficmanager, "/")[-1],
+    id=trafficmanager,
+    tags,
+    param1=strcat("hostname:", matchname),
+    param2=strcat("frontdoorid:", frontdoorid)
@@ -1 +1,40 @@
 // under-development
+// Azure Resource Graph Query
+// AFD-10 - Enable the WAF
+
+resources
+| where type =~ "microsoft.cdn/profiles" and sku has "AzureFrontDoor"
+| project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name)
+| join kind= fullouter (
+    cdnresources
+    | where type == "microsoft.cdn/profiles/securitypolicies"
+    | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id'])
+    | extend splitid=split(id, "/")
+    | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), "/"))
+    | project secpolname=name, cdnprofileid, wafpolicyid
+    )
+    on cdnprofileid
+| project name, cdnprofileid, secpolname, wafpolicyid,skuname
+| join kind = fullouter (
+    resources
+    | where type == "microsoft.network/frontdoorwebapplicationfirewallpolicies"
+    | extend
+        managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != "[]", true, false),
+        enabledState = tostring(properties.policySettings.enabledState)
+    | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags)
+    )
+    on wafpolicyid
+| where name != ""
+| summarize
+    associatedsecuritypolicies=countif(secpolname != ""),
+    wafswithmanagedrules=countif(managedrulesenabled == 1)
+    by name, id=cdnprofileid, tags,skuname
+| where associatedsecuritypolicies == 0 or wafswithmanagedrules  == 0
+| project
+    recommendationId = "afd-10",
+    name,
+    id,
+    todynamic(tags),
+    param1 = strcat("associatedsecuritypolicies:", associatedsecuritypolicies),
+    param2 = strcat("wafswithmanagedrules:", wafswithmanagedrules),
+    param3 = strcat("skuname:",skuname)
@@ -1 +1,21 @@
-// under-development
+// Azure Resource Graph Query
+// AFD-11 - Disable health probes when there is only one origin in an origin group
+cdnresources
+| where type =~ "microsoft.cdn/profiles/origingroups"
+| extend healthprobe=tostring(properties.healthProbeSettings)
+| project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe
+| join (
+    cdnresources
+    | where type =~ "microsoft.cdn/profiles/origingroups/Origins"
+    | extend origingroupname = tostring(properties.originGroupName)
+    )
+    on origingroupname
+| summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != "") by origingroupname, id, tostring(tags), resourceGroup, subscriptionId
+| where origincount == 1 and enabledhealthprobecount != 0
+| project
+    recommendationId = "afd-11",
+    name=origingroupname,
+    id,
+    todynamic(tags),
+    param1 = strcat("origincount:", origincount),
+    param2 = strcat("enabledhealthprobecount:", enabledhealthprobecount)