Azure · oZakari · Oct 17, 2023 · Sep 13, 2023 · Sep 13, 2023 · Sep 13, 2023
diff --git a/docs/content/services/compute/virtual-machine-scale-sets/_index.md b/docs/content/services/compute/virtual-machine-scale-sets/_index.md
@@ -23,6 +23,7 @@ The presented resiliency recommendations in this guidance include Virtual Machin
 | [VMSS-7 - Configure Allocation Policy Spreading algorithm to Max Spreading](#vmss-7---configure-allocation-policy-spreading-algorithm-to-max-spreading)                                                     |  Medium | Preview |         Yes         |
 | [VMSS-8 - Deploy VMSS across availability zones with VMSS Flex](#vmss-8---deploy-vmss-across-availability-zones-with-vmss-flex)                                                                             |  High   | Preview |         Yes         |
 | [VMSS-9 - Set Patch orchestration options to Azure-orchestrated](#vmss-9---set-patch-orchestration-options-to-azure-orchestrated)                                                                           |  Low    | Preview |         No          |
+
 {{< /table >}}
 
 {{< alert style="info" >}}
@@ -260,3 +261,4 @@ Enabling automatic VM guest patching for your Azure VMs helps ease update manage
 {{< /collapse >}}
 
 <br><br>
+
diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-10/vmss-10.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-10/vmss-10.kql
@@ -0,0 +1,7 @@
+// Azure Resource Graph Query
+// This query will check if the VMSS are currently using the latest image.  If not the Image reference will be empty
+resources
+| where type == "microsoft.compute/virtualmachinescalesets"
+| extend VMSSName = name
+| extend ImageReference = tostring(properties.virtualMachineProfile.storageProfile.imageReference.version)
+| project recommendationId="vmss-10",name,id, param1="ImageReference"
@@ -18,13 +18,14 @@ The presented resiliency recommendations in this guidance include Application Ga
 | [AGW-2 - Secure all incoming connections with SSL](#agw-2---secure-all-incoming-connections-with-ssl)                                   |  High    | Preview  | Yes |
 | [AGW-3 - Enable WAF policies](#agw-3---enable-web-application-firewall-policies)                                                        |  High    | Preview  | Yes |
 | [AGW-4 - Use Application GW V2 instead of V1](#agw-4---use-application-gw-v2-instead-of-v1)                                             |  High    | Preview  | Yes |
-| [AGW-5 - Monitor and Log the configurations and traffic](#agw-5---monitor-and-log-the-configurations-and-traffic)                       |  Medium  | Preview  | Yes |
+| [AGW-5 - Monitor and Log the configurations and traffic](#agw-5---monitor-and-log-the-configurations-and-traffic)                       |  Medium  | Preview  | No |
 | [AGW-6 - Use Health Probes to detect backend availability](#agw-6---use-health-probes-to-detect-backend-availability)                   |  Medium  | Preview  | Yes |
-| [AGW-7 - Deploy backends in a zone-redundant configuration](#agw-7---deploy-backends-in-a-zone-redundant-configuration)                 |  High    | Preview  | Yes |
+| [AGW-7 - Deploy backends in a zone-redundant configuration](#agw-7---deploy-backends-in-a-zone-redundant-configuration)                 |  High    | Preview  | No |
 | [AGW-8 - Plan for backend maintenance by using connection draining](#agw-8---plan-for-backend-maintenance-by-using-connection-draining) |  Medium  | Preview  | Yes |
+| [AGW-9 - Ensure Application Gateway Subnet is using a /24 subnet mask](#agw-9---ensure-application-gateway-subnet-is-using-a-24-subnet-mask)                       |  High    | Preview  | Yes |
 
 {{< /table >}}
-
+========
 {{< alert style="info" >}}
 
 Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}})
@@ -227,11 +228,29 @@ Plan for backend maintenance by using connection draining. Connection draining h
 - [Application Gateway Connection Draining HTTP Settings](https://learn.microsoft.com/azure/application-gateway/configuration-http-settings#connection-draining)
 
 **Resource Graph Query/Scripts**
-
 {{< collapse title="Show/Hide Query/Script" >}}
 
 {{< code lang="sql" file="code/agw-8/agw-8.kql" >}} {{< /code >}}
 
 {{< /collapse >}}
 
 <br><br>
+
+### AGW-9 - Ensure Application Gateway Subnet is using a /24 subnet mask
+
+**Impact: High**
+
+**Recommendation/Guidance**
+
+Application Gateway (Standard_v2 or WAF_v2 SKU) can support up to 125 instances. Although a /24 subnet isn't required per Application Gateway v2 SKU deployment, it is highly recommended. This is to ensure that Application Gateway v2 has sufficient space for autoscaling expansion and maintenance upgrades.
+
+**Resources**
+
+- [Azure Application Gateway infrastructure configuration | Microsoft Learn](https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#size-of-the-subnet)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+{{< code lang="sql" file="code/agw-1/agw-9.kql" >}} {{< /code >}}
+{{< /collapse >}}
+<br><br>
@@ -5,3 +5,4 @@ resources
 | where isnull(properties.capacity.autoScaleConfiguration) or properties.capacity.autoScaleConfiguration.minCapacity <= 1
 | project recommendationId = "agw-1", name, id, param1 = "autoScaleConfiguration: isNull or MinCapacity <= 1"
 | order by id asc
+
@@ -1,3 +1,5 @@
+// Azure Resource Graph Query
+// You can use the following Azure Resource Graph query to check if an HTTP rule is using an SSL certificate or is using Azure Key Vault to store the certificates
 resources
 | where type == "microsoft.network/applicationGateways"
 | extend ssl_enabled = tobool(isnotnull(properties.sslCertificates[0].keyVaultSecretId) or isnotnull(properties.sslCertificates[0].keyVaultSecretUrl))

@@ -5,3 +5,4 @@ Resources
 | where isnull(properties.webApplicationFirewallConfiguration)
 | project recommendationId = "agw-3", name, id, param1 = "webApplicationFirewallConfiguration: isNull"
 | order by id asc
+
@@ -6,3 +6,4 @@ resources
 | where sku != "waf_v2" and sku != "standard_v2"
 | project recommendationId = "agw-4", name, id, param1 = "sku: v1"
 | order by id asc
+
@@ -1,42 +1 @@
-// under development
-// resources
-// where type == "microsoft.network/applicationGateways"
-//| extend resourceId = tostring(id)
-//| join (Resources
-//        | where type == "microsoft.insights/components"
-//        | extend componentName = name
-//        | extend componentResourceId = id
-//        | project componentResourceId, componentName
-//       ) on $left.resourceId == $right.componentResourceId
-//| extend startDateTime = ago(30d)
-//| extend endDateTime = now()
-//| mvexpand componentName
-//| summarize by name, componentName, componentResourceId
-//| project name, componentName, componentResourceId,
-//    appGatewayLogs = make_list(
-//        {
-//            type = "ApplicationGatewayAccess",
- //           workspace = componentName,
-//            startDateTime = startDateTime,
-//            endDateTime = endDateTime,
-//            resourceId = resourceId
-//        }
-//    ),
-//    appGatewayConfigLogs = make_list(
-//        {
-//            type = "ApplicationGatewayConfig",
-//            workspace = componentName,
-//            startDateTime = startDateTime,
-//            endDateTime = endDateTime,
-//            resourceId = resourceId
-//        }
-//    ),
-//    appGatewayWafLogs = make_list(
-//        {
-//            type = "ApplicationGatewayFirewallLog",
-//            workspace = componentName,
-//            startDateTime = startDateTime,
-//            endDateTime = endDateTime,
-//            resourceId = resourceId
-//        }
-//    )
+// cannot-be-validated-with-arg
@@ -1,8 +1,11 @@
+// Azure Resource Graph Query
+// You can use the following Azure Resource Graph query to check which App GWs are not using SSL certs
 //under development
-//Resources
-//| where type == "microsoft.network/applicationGateways"
-//| extend appGatewayResourceId = tostring(id)
-//| mvexpand probeConfig = properties.probes
-//| where probeConfig.probeName != "GatewaySslCertificate"
-//| where iif(isnotempty(probeConfig.pickHostName), "Yes", "No")
-//| project recommendationId="agw-6",name, id, param1=strcat("appGatewayResourceId: ", appGatewayResourceId), param2=strcat("customHealthProbeUsed :", customHealthProbeUsed)
+Resources
+| where type == "microsoft.network/applicationGateways"
+| extend appGatewayResourceId = tostring(id)
+| mvexpand probeConfig = properties.probes
+| where probeConfig.probeName != "GatewaySslCertificate"
+| where iif(isnotempty(probeConfig.pickHostName), "Yes", "No")
+| project recommendationId="agw-6",name, id, param1=strcat("appGatewayResourceId: ", appGatewayResourceId), param2=strcat("customHealthProbeUsed :", customHealthProbeUsed)
+
@@ -1,5 +1,8 @@
+// Azure Resource Graph Query
+// You can use the following Azure Resource Graph Query to see if the Application Gateway is zone redundant
 Resources
 | where type == "microsoft.network/applicationGateways"
 | extend appGatewayResourceId = tostring(id)
 | extend zoneRedundant = tostring(properties.enableZoneRedundancy)
 | project appGatewayResourceId, zoneRedundant
+
@@ -1,5 +1,8 @@
+// Azure Resource Graph Query
+// This query will check if connection draining is enabled
 Resources
 | where type == "microsoft.network/applicationGateways"
 | extend appGatewayResourceId = tostring(id)
 | extend connectionDrainingEnabled = tostring(properties.backendAddressPoolSettings.connectionDraining.enabled)
-| project appGatewayResourceId, connectionDrainingEnabled
+| project recommendationId = "agw-8", name, id, param1 = "appGatewayResourceId", param2 ="connectionDrainingEnabled"
+
@@ -0,0 +1 @@
+// cannot-be-validated-with-arg