Azure · rodrigosantosms · Sep 19, 2023 · Sep 14, 2023 · Sep 15, 2023 · Sep 18, 2023
diff --git a/docs/content/contributing/_index.md b/docs/content/contributing/_index.md
@@ -1,7 +1,7 @@
 +++
 title = "Contributing"
 description = "Contribution Guide for the Azure Proactive Resiliency Library (APRL)"
-weight = 2
+weight = 3
 +++
 {{< panel title="Contributions Notice" style="warning" >}} Currently we can only accept contributions from Microsoft FTEs. In the future we will look to change this. {{< /panel >}}
 

diff --git a/docs/content/services/compute/virtual-machine-scale-sets/_index.md b/docs/content/services/compute/virtual-machine-scale-sets/_index.md
@@ -14,14 +14,14 @@ The presented resiliency recommendations in this guidance include Virtual Machin
 {{< table style="table-striped" >}}
 | Recommendation                                                                                                                                                                                              | Impact  |  State  | ARG Query Available |
 | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----:  | :-----: | :-----------------: |
-| [VMSS-1 - Deploy VMSSs with Flex orchestration mode instead of Uniform](#vmss-1---deploy-vmsss-with-flex-orchestration-mode-instead-of-uniform)                                                              | Medium  | Preview |         No          |
-| [VMSS-2 - Enable Virtual Machine Scale Sets application health monitoring](#vmss-2---enable-virtual-machine-scale-sets-application-health-monitoring)                                                       |  Low    | Preview |         No          |
-| [VMSS-3 - Enable Automatic repair policy](#vmss-3---enable-automatic-repair-policy)                                                                                                                         |  High   | Preview |         No          |
-| [VMSS-4 - Configure Virtual Machine Scale Sets Autoscale to Custom and configure the scaling metrics](#vmss-4---configure-virtual-machine-scale-sets-autoscale-to-custom-and-configure-the-scaling-metrics) |  High   | Preview |         No          |
-| [VMSS-5 - Enable Predictive autoscale and configure at least for Forecast Only](#vmss-5---enable-predictive-autoscale-and-configure-at-least-for-forecast-only)                                             |  Low    | Preview |         No          |
-| [VMSS-6 - Disable Force strictly even balance across zones to avoid scale in and out fail attempts](#vmss-6---disable-force-strictly-even-balance-across-zones-to-avoid-scale-in-and-out-fail-attempts)     |  Low    | Preview |         No          |
-| [VMSS-7 - Configure Allocation Policy Spreading algorithm to Max Spreading](#vmss-7---configure-allocation-policy-spreading-algorithm-to-max-spreading)                                                     |  Low    | Preview |         No          |
-| [VMSS-8 - Deploy VMSS across availability zones with VMSS Flex](#vmss-8---deploy-vmss-across-availability-zones-with-vmss-flex)                                                                             |  Low    | Preview |         No          |
+| [VMSS-1 - Deploy VMSS with Flex orchestration mode instead of Uniform](#vmss-1---deploy-vmss-with-flex-orchestration-mode-instead-of-uniform)                                                              |  Medium | Preview |         Yes         |
+| [VMSS-2 - Enable VMSS application health monitoring](#vmss-2---enable-vmss-application-health-monitoring)                                                                                                   |  Medium | Preview |         No          |
+| [VMSS-3 - Enable Automatic Repair policy](#vmss-3---enable-automatic-repair-policy)                                                                                                                         |  High   | Preview |         No          |
+| [VMSS-4 - Configure VMSS autoscale to custom and configure the scaling metrics](#vmss-4---configure-vmss-autoscale-to-custom-and-configure-the-scaling-metrics)                                             |  High   | Preview |         Yes         |
+| [VMSS-5 - Enable Predictive Autoscale and configure at least for Forecast Only](#vmss-5---enable-predictive-autoscale-and-configure-at-least-for-forecast-only)                                             |  Low    | Preview |         Yes         |
+| [VMSS-6 - Disable Force strictly even balance across zones to avoid scale in and out fail attempts](#vmss-6---disable-force-strictly-even-balance-across-zones-to-avoid-scale-in-and-out-fail-attempts)     |  High   | Preview |         Yes         |
+| [VMSS-7 - Configure Allocation Policy Spreading algorithm to Max Spreading](#vmss-7---configure-allocation-policy-spreading-algorithm-to-max-spreading)                                                     |  Medium | Preview |         Yes         |
+| [VMSS-8 - Deploy VMSS across availability zones with VMSS Flex](#vmss-8---deploy-vmss-across-availability-zones-with-vmss-flex)                                                                             |  High   | Preview |         Yes         |
 | [VMSS-9 - Set Patch orchestration options to Azure-orchestrated](#vmss-9---set-patch-orchestration-options-to-azure-orchestrated)                                                                           |  Low    | Preview |         No          |
 {{< /table >}}
 
@@ -33,7 +33,7 @@ Definitions of states can be found [here]({{< ref "../../../_index.md#definition
 
 ## Recommendations Details
 
-### VMSS-1 - Deploy VMSSs with Flex orchestration mode instead of Uniform
+### VMSS-1 - Deploy VMSS with Flex orchestration mode instead of Uniform
 
 **Impact: Medium**
 
@@ -56,7 +56,7 @@ Even single instance VMs should be deployed into a scale set using the Flexible
 
 <br><br>
 
-### VMSS-2 - Enable Virtual Machine Scale Sets application health monitoring
+### VMSS-2 - Enable VMSS application health monitoring
 
 **Category: Monitoring**
 
@@ -80,7 +80,7 @@ Monitoring your application health is an important signal for managing and upgra
 
 <br><br>
 
-### VMSS-3 - Enable Automatic repair policy
+### VMSS-3 - Enable Automatic Repair policy
 
 **Category: Automation**
 
@@ -106,7 +106,7 @@ Grace period is specified in minutes in ISO 8601 format and can be set using the
 
 <br><br>
 
-### VMSS-4 - Configure Virtual Machine Scale Sets Autoscale to Custom and configure the scaling metrics
+### VMSS-4 - Configure VMSS Autoscale to custom and configure the scaling metrics
 
 **Category: System Efficiency**
 

diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-2/vmss-2.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-2/vmss-2.kql
@@ -1,5 +1,5 @@
 // Azure Resource Graph Query
 // Under development
-//resources
+// resources
 //| where type == "microsoft.compute/virtualmachinescalesets"
 //| project recommendationId = "vmss-2", name, id
diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-3/vmss-3.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-3/vmss-3.kql
@@ -1,5 +1,5 @@
 // Azure Resource Graph Query
 // Under development
-//resources
+// resources
 //| where type == "microsoft.compute/virtualmachinescalesets"
-//| project recommendationId = "vmss-2", name, id
+//| project recommendationId = "vmss-3", name, id
diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-9/vmss-9.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-9/vmss-9.kql
@@ -1,5 +1,5 @@
 // Azure Resource Graph Query
 // Under development
-//resources
+// resources
 //| where type == "microsoft.compute/virtualmachinescalesets"
-//| project recommendationId = "vmss-2", name, id
+//| project recommendationId = "vmss-3", name, id
diff --git a/docs/content/services/container/azure-container-registry/code/cr-1/cr-1.kql b/docs/content/services/container/azure-container-registry/code/cr-1/cr-1.kql
@@ -3,5 +3,5 @@
 resources
 | where type =~ "microsoft.containerregistry/registries"
 | where sku.name != "Premium"
-| project recommendationId = "cr-1", name, id
+| project recommendationId = "cr-1", name, id, param1=strcat("SkuName: ", tostring(sku.name))
 | order by id asc
diff --git a/docs/content/services/container/azure-container-registry/code/cr-2/cr-2.kql b/docs/content/services/container/azure-container-registry/code/cr-2/cr-2.kql
@@ -2,6 +2,6 @@
 // Find all Container Registries that do not have zone redundancy enabled
 resources
 | where type =~ "microsoft.containerregistry/registries"
-| where properties.zoneRedundancy == "Disabled"
-| project recommendationId = "cr-2", name, id
+| where sku.name != "Premium" or properties.zoneRedundancy != "Enabled"
+| project recommendationId = "cr-2", name, id, param1=strcat("zoneRedundancy: ", tostring(properties.zoneRedundancy))
 | order by id asc
@@ -1,4 +1,7 @@
-Resources
-| where type == "microsoft.network/applicationGateways"
-| where properties.capacity.autoScaleConfiguration != null
-| where properties.capacity.autoScaleConfiguration.minCapacity >= 2
+// Azure Resource Graph Query
+// This query will return all Application Gateways that do not have autoscale enabled or have a min capacity of 1
+resources
+| where type =~ "microsoft.network/applicationGateways"
+| where isnull(properties.capacity.autoScaleConfiguration) or properties.capacity.autoScaleConfiguration.minCapacity <= 1
+| project recommendationId = "appgw-1", name, id, param1 = "autoScaleConfiguration: isNull or MinCapacity <= 1"
+| order by id asc
@@ -1,4 +1,7 @@
+// Azure Resource Graph Query
+// This query will return all Application Gateways that do not have WAF enabled
 Resources
-| where type == "microsoft.network/applicationGateways"
-| where properties.webApplicationFirewallConfiguration != null
-| project name, waf_enabled = tobool(properties.webApplicationFirewallConfiguration.enabled)
+| where type =~ "microsoft.network/applicationGateways"
+| where isnull(properties.webApplicationFirewallConfiguration)
+| project recommendationId = "appgw-3", name, id, param1 = "webApplicationFirewallConfiguration: isNull"
+| order by id asc
@@ -1,6 +1,8 @@
-Resources
-| where type == "microsoft.network/applicationGateways"
+// Azure Resource Graph Query
+// This query will return all Application Gateways in your Azure environment and will identify if they are v1 or v2
+resources
+| where type =~ "microsoft.network/applicationGateways"
 | extend sku = tolower(tostring(properties.sku.name))
-| extend is_v2 = iif(startswith(sku, "standard_v2"), true, false)
-| extend is_v1 = iif(startswith(sku, "standard"), not(is_v2), false)
-| project name, is_v1, is_v2
+| where sku != "waf_v2" and sku != "standard_v2"
+| project recommendationId = "appgw-4", name, id, param1 = "sku: v1"
+| order by id asc
@@ -1,5 +1,7 @@
+// Azure Resource Graph Query
+// Find all LoadBalancers using Basic SKU
 resources
 | where type =~ 'Microsoft.Network/loadbalancers'
 | extend sku = tostring(sku.name)
-| where sku != 'Standard'
-| project id,name,resourceGroup,subscriptionId,sku
+| where sku == 'Basic'
+| project recommendationId = "lb-1", name, id, sku
@@ -1,16 +1,16 @@
 // Azure Resource Graph Query
-// Find all LoadBalancers which only have 1 backend pool defined
-Resources
+// Find all LoadBalancers which only have 1 backend pool defined or only 1 VM in the backend pool
+resources
 | where type =~ 'Microsoft.Network/loadBalancers'
 | extend bep = properties.backendAddressPools
 | extend BackEndPools = array_length(bep)
 | where BackEndPools == 0
-| project recommendationId = "lb-2", name, id, BackEndPools, BackendAddresses=0
-| union (Resources
-| where type =~ 'Microsoft.Network/loadBalancers'
-| extend bep = properties.backendAddressPools
-| extend BackEndPools = array_length(bep)
-| mv-expand bip = properties.backendAddressPools
-| extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses)
-| where BackendAddresses <= 1
-| project recommendationId = "lb-2", name, id, BackEndPools, BackendAddresses)
+| project recommendationId = "lb-2", name, id, Param1=BackEndPools, Param2=0
+| union (resources
+        | where type =~ 'Microsoft.Network/loadBalancers'
+        | extend bep = properties.backendAddressPools
+        | extend BackEndPools = array_length(bep)
+        | mv-expand bip = properties.backendAddressPools
+        | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses)
+        | where BackendAddresses <= 1
+        | project recommendationId = "lb-2", name, id, Param1=BackEndPools, Param2=BackendAddresses)
@@ -1,9 +1,6 @@
-Resources
+// Azure Resource Graph Query
+// Find all LoadBalancers with Outbound rules configured
 | where type =~ 'Microsoft.Network/loadBalancers'
-| extend backendAddressPools = properties.backendAddressPools
-| mv-expand backendAddressPool = backendAddressPools
-| extend backendIPConfigurations = backendAddressPool.properties.backendIPConfigurations
-| mv-expand backendIPConfiguration = backendIPConfigurations
-| extend outboundRules = backendIPConfiguration.properties.outboundRules
-| mv-expand outboundRule = outboundRules
-| project LoadBalancerName = name, OutboundRuleName = outboundRule.name, OutboundRuleDescription = outboundRule.properties.description, OutboundRuleProtocol = outboundRule.properties.protocol, OutboundRuleSourceAddressPrefix = outboundRule.properties.sourceAddressPrefix, OutboundRuleSourcePortRange = outboundRule.properties.sourcePortRange, OutboundRuleDestinationAddressPrefix = outboundRule.properties.destinationAddressPrefix, OutboundRuleDestinationPortRange = outboundRule.properties.destinationPortRange
+| extend outboundRules = array_length(properties.outboundRules)
+| where outboundRules > 0
+| project recommendationId = "lb-3", name, id, Param1 = "outboundRules: >=1"
@@ -0,0 +1,153 @@
++++
+title = "Network Security Group"
+description = "Best practices and resiliency recommendations for Network Security Group and associated resources and settings."
+date = "9/19/23"
+author = "rodrigosantosms"
+msAuthor = "rodrigosantosms"
+draft = false
++++
+
+The presented resiliency recommendations in this guidance include Network Security Group and associated resources and settings.
+
+## Summary of Recommendations
+
+{{< table style="table-striped" >}}
+| Recommendation                                                                                                                                                                |  Category         |  Impact   |  State     | ARG Query Available |
+| :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------:  | :------:  | :------:   | :-----------------: |
+| [NSG-1 - Configure Diagnostic Settings for all Azure Resources](#nsg-1---configure-diagnostic-settings-for-all-azure-resources)                                               | Monitoring        |  Medium   | Preview    |     No          |
+| [NSG-2 - Monitor changes in Network Security Groups with Azure Monitor](#nsg-2---monitor-changes-in-network-security-groups-with-azure-monitor)                               | Monitoring        |     Low   | Preview    |     No          |
+| [NSG-3 - Monitor changes in Network Security Groups with Azure Monitor](#nsg-3---configure-locks-for-network-security-groups-to-avoid-accidental-changes-andor-deletion)      | Governance        |     Low   | Preview    |     No          |
+| [NSG-4 - Monitor changes in Network Security Groups with Azure Monitor](#nsg-4---configure-nsg-flow-logs)                                                                     | Monitoring        |  Medium   | Preview    |     Yes          |
+| [NSG-5 - Monitor changes in Network Security Groups with Azure Monitor](#nsg-5---the-nsg-only-has-default-security-rules-make-sure-to-configure-the-necessary-rules)          | Access & Security |  Medium   | Preview    |     Yes          |
+{{< /table >}}
+
+{{< alert style="info" >}}
+
+Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}})
+
+{{< /alert >}}
+
+## Recommendations Details
+
+### NSG-1 - Configure Diagnostic Settings for all Azure Resources
+
+**Category: Monitoring**
+
+**Impact: Medium**
+
+**Recommendation/Guidance**
+
+Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.
+
+**Resources**
+
+- [Diagnostic settings in Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/nsg-1/nsg-1.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>
+
+### NSG-2 - Monitor changes in Network Security Groups with Azure Monitor
+
+**Category: Monitoring**
+
+**Impact: Low**
+
+**Recommendation/Guidance**
+
+Create Alerts for administrative operations such as Create or Update Network Security Group rules with Azure Monitor to detect unauthorized/undesired changes to production resources, this alert can help identify undesired changes in the default security, such as attempts to by-pass firewalls or from accessing resources externally.
+
+**Resources**
+
+- [Azure Monitor activity log](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log?tabs=powershell)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/nsg-2/nsg-2.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>
+
+### NSG-3 - Configure locks for Network Security Groups to avoid accidental changes and/or deletion
+
+**Category: **
+
+**Impact: Medium**
+
+**Recommendation/Guidance**
+
+As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions.
+You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only.
+
+**Resources**
+
+- [Lock your resources to protect your infrastructure](https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?toc=%2Fazure%2Fvirtual-network%2Ftoc.json&tabs=json)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/nsg-3/nsg-3.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>
+
+### NSG-4 - Configure NSG Flow Logs
+
+**Category: Monitoring**
+
+**Impact: Medium**
+
+**Recommendation/Guidance**
+
+It's vital to monitor, manage, and know your own network so that you can protect and optimize it. You need to know the current state of the network, who's connecting, and where users are connecting from. You also need to know which ports are open to the internet, what network behavior is expected, what network behavior is irregular, and when sudden rises in traffic happen.
+
+Flow logs are the source of truth for all network activity in your cloud environment. Whether you're in a startup that's trying to optimize resources or a large enterprise that's trying to detect intrusion, flow logs can help. You can use them for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions, and more.
+
+**Resources**
+
+- [Flow logging for network security groups](https://learn.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-overview)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/nsg-4/nsg-4.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>
+
+### NSG-5 - The NSG only has Default Security Rules, make sure to configure the necessary rules
+
+**Category: Access & Security**
+
+**Impact: Medium**
+
+**Recommendation/Guidance**
+
+You can use an Azure network security group to filter network traffic between Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
+
+**Resources**
+
+- [Security rules](https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview#security-rules)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/nsg-5/nsg-5.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>
@@ -0,0 +1,2 @@
+// Azure Resource Graph Query
+// Under development
@@ -0,0 +1,2 @@
+// Azure Resource Graph Query
+// Under development
@@ -0,0 +1,2 @@
+// Azure Resource Graph Query
+// Under development
@@ -0,0 +1,6 @@
+// Azure Resource Graph Query
+// This query will return all NSGs that do not have flow logs enabled
+resources
+| where type =~ "microsoft.network/networksecuritygroups"
+| where isnull(properties.flowLogs)
+| project recommendationId = "nsg-4", name, id, param1 = "NSG Flow Logs Disabled"