From e730213c39d384c0f0d47b2fc81a6346b306e240 Mon Sep 17 00:00:00 2001 From: Rodrigo Santos Date: Thu, 14 Sep 2023 02:22:11 -0400 Subject: [PATCH 1/6] vm-updates --- docs/archetypes/service-bundle/_index.md | 12 +- .../compute/virtual-machines/_index.md | 158 ++++++++++++------ .../virtual-machines/code/vm-1/vm-1.kql | 17 +- .../virtual-machines/code/vm-2/vm-2.kql | 2 +- .../virtual-machines/code/vm-21/vm-21.kql | 2 +- .../virtual-machines/code/vm-22/vm-22.kql | 7 +- .../virtual-machines/code/vm-3/vm-3.kql | 2 +- .../virtual-machines/code/vm-4/vm-4.kql | 2 +- 8 files changed, 134 insertions(+), 68 deletions(-) diff --git a/docs/archetypes/service-bundle/_index.md b/docs/archetypes/service-bundle/_index.md index 8ab688e6b..8525dc5e5 100644 --- a/docs/archetypes/service-bundle/_index.md +++ b/docs/archetypes/service-bundle/_index.md @@ -12,10 +12,10 @@ The presented resiliency recommendations in this guidance include {{ replace .Na ## Summary of Recommendations {{< table style="table-striped" >}} -| Recommendation | Category | Impact | State | ARG Query Available | -| :------------------------------------------------ | :---------------------------------------------------------------------: | :------: | :------: | :-----------------: | -| [CM-1 - CHANGE ME title](#cm-1---change-me-title) | Compatibility/Compliance/Disaster Recovery/High Availability/Management | High/Medium/Low | Preview | Yes | -| [CM-2 - CHANGE ME title](#cm-2---change-me-title) | Monitoring/Networking/Performance/Scalability/Security/Storage | High/Medium/Low | Verified | No | +| Recommendation | Category | Impact | State | ARG Query Available | +| :------------------------------------------------ | :---------------------------------------------------------------------: | :------: | :------: | :-----------------: | +| [CM-1 - CHANGE ME title](#cm-1---change-me-title) | Compatibility/Compliance/Disaster Recovery/High Availability/Management | High/Medium/Low | Preview/Verified | Yes | +| [CM-2 - CHANGE ME title](#cm-2---change-me-title) | Monitoring/Networking/Performance/Scalability/Security/Storage | High/Medium/Low | Preview/Verified | No | {{< /table >}} {{< alert style="info" >}} @@ -28,7 +28,7 @@ Definitions of states can be found [here]({{< ref "../../../_index.md#definition ### CM-1 - CHANGE ME title -**Category: Compatibility/Compliance/Disaster Recovery/High Availability/Management/Monitoring/Networking/Performance/Scalability/Security/Storage** +**Category: Application Resilience/Automation/Availability/Access & Security/Governance/Disaster Recovery/System Efficiency/Monitoring/Networking/Storage** **Impact: High/Medium/Low** @@ -53,7 +53,7 @@ FILL ME IN... ### CM-2 - CHANGE ME title -**Category: Compatibility/Compliance/Disaster Recovery/High Availability/Management/Monitoring/Networking/Performance/Scalability/Security/Storage** +**Category: Application Resilience/Automation/Availability/Access & Security/Governance/Disaster Recovery/System Efficiency/Monitoring/Networking/Storage** **Impact: High/Medium/Low** diff --git a/docs/content/services/compute/virtual-machines/_index.md b/docs/content/services/compute/virtual-machines/_index.md index 7673126e0..b192f1c9e 100644 --- a/docs/content/services/compute/virtual-machines/_index.md +++ b/docs/content/services/compute/virtual-machines/_index.md @@ -12,30 +12,30 @@ The presented resiliency recommendations in this guidance include Virtual Machin ## Summary of Recommendations {{< table style="table-striped" >}} -| Recommendation | Impact | State | ARG Query Available | -| :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----: | :-----: | :-----------------: | -| [VM-1 - Run production workloads on two or more VMs](#vm-1---run-production-workloads-on-two-or-more-vms) | High | Preview | Yes | -| [VM-2 - Deploy Virtual Machines across Availability Zones](#vm-2---deploy-virtual-machines-across-availability-zones) | High | Preview | Yes | -| [VM-3 - If AvailabilitySet is required, then put each application tier into a separate Availability Set](#vm-3---if-availabilityset-is-required-then-put-each-application-tier-into-a-separate-availabilityset) | High | Preview | Yes | -| [VM-4 - Replicate Virtual Machines using Azure Site Recovery](#vm-4---replicate-virtual-machines-using-azure-site-recovery) | Medium | Preview | Yes | -| [VM-5 - Use Managed Disks for Virtual Machine disks](#vm-5---use-managed-disks-for-virtual-machine-disks) | High | Preview | Yes | -| [VM-6 - Host application or database data on a data disk](#vm-6---host-application-or-database-data-on-a-data-disk) | Low | Preview | Yes | -| [VM-7 - Enable Backups on your Virtual Machines](#vm-7---enable-backups-on-your-virtual-machines) | Medium | Preview | Yes | -| [VM-8 - Production VMs should be using SSD disks](#vm-8---production-vms-should-be-using-ssd-disks) | High | Preview | Yes | -| [VM-9 - There are Virtual Machines in Stopped state](#vm-9---there-are-virtual-machines-in-stopped-state) | Low | Preview | Yes | -| [VM-10 - Accelerated Networking is not enabled](#vm-10---accelerated-networking-is-not-enabled) | Medium | Preview | Yes | -| [VM-11 - Accelerated Networking is enabled, make sure you update the GuestOS NIC driver every 6 months](#vm-11---accelerated-networking-is-enabled-make-sure-you-update-the-guestos-nic-driver-every-6-months) | Low | Preview | Yes | -| [VM-12 - Virtual Machines should not have a Public IP directly associated](#vm-12---virtual-machines-should-not-have-a-public-ip-directly-associated) | Medium | Preview | Yes | -| [VM-13 - Virtual Network Interfaces have an NSG associated](#vm-13---virtual-network-interfaces-have-an-nsg-associated) | Low | Preview | Yes | -| [VM-14 - IP Forwarding should only be enabled for Network Virtual Appliances](#vm-14---ip-forwarding-should-only-be-enabled-for-network-virtual-appliances) | Medium | Preview | Yes | -| [VM-15 - Customer DNS Servers should be configured in the Virtual Network level](#vm-15---customer-dns-servers-should-be-configured-in-the-virtual-network-level) | Low | Preview | Yes | -| [VM-16 - Shared disks should only be enabled in Clustered servers](#vm-16---shared-disks-should-only-be-enabled-in-clustered-servers) | Medium | Preview | Yes | -| [VM-17 - The Network access to the VM disk is set to "Enable Public access from all networks"](#vm-17---the-network-access-to-the-vm-disk-is-set-to-enable-public-access-from-all-networks) | Low | Preview | Yes | -| [VM-18 - Virtual Machine is not compliant with Azure Policies](#vm-18---virtual-machine-is-not-compliant-with-azure-policies) | Low | Preview | Yes | -| [VM-19 - Enable disk encryption, Enable data at rest encryption by default](#vm-19---enable-disk-encryption-enable-data-at-rest-encryption-by-default) | Medium | Preview | No | -| [VM-20 - Enable Insights to get more visibility into the health and performance of your virtual machine](#vm-20---enable-insights-to-get-more-visibility-into-the-health-and-performance-of-your-virtual-machine) | Low | Preview | No | -| [VM-21 - Diagnostic Settings should be configured for all Azure Resources](#vm-21---diagnostic-settings-should-be-configured-for-all-azure-resources) | Low | Preview | No | -| [VM-22 - Use maintenance configurations for the Virtual Machine](#vm-22---use-maintenance-configurations-for-the-virtual-machine) | High | Preview | Yes | +| Recommendation | Impact | State | ARG Query Available | +| :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----: | :-----: | :-----------------: | +| [VM-1 - Run production workloads on two or more VMs using VMSS Flex](#vm-1---run-production-workloads-on-two-or-more-vms-using-vmss-flex) | High | Verified | Yes | +| [VM-2 - Deploy VMs across Availability Zones](#vm-2---deploy-vms-across-availability-zones) | High | Verified | Yes | +| [VM-3 - Migrate VMs using availability sets to VMSS Flex](#vm-3---migrate-vms-using-availability-sets-to-vmss-flex) | High | Verified | Yes | +| [VM-4 - Replicate VMs using Azure Site Recovery](#vm-4---replicate-vms-using-azure-site-recovery) | Medium | Verified | Yes | +| [VM-5 - Use Managed Disks for Virtual Machine disks](#vm-5---use-managed-disks-for-vm-disks) | High | Verified | Yes | +| [VM-6 - Host application or database data on a data disk](#vm-6---host-application-or-database-data-on-a-data-disk) | Low | Verified | Yes | +| [VM-7 - Enable Backups on your VMs](#vm-7---backup-vms-with-azure-backup-service) | Medium | Verified | Yes | +| [VM-8 - Production VMs should be using SSD disks](#vm-8---production-vms-should-be-using-ssd-disks) | High | Verified | Yes | +| [VM-9 - There are VMs in Stopped state](#vm-9---review-vms-in-stopped-state) | Low | Verified | Yes | +| [VM-10 - Accelerated Networking is not enabled](#vm-10---enable-accelerated-networking-accelnet) | Medium | Verified | Yes | +| [VM-11 - Accelerated Networking is enabled, make sure you update the GuestOS NIC driver every 6 months](#vm-11---when-accelnet-is-enabled-you-must-manually-update-the-guestos-nic-driver) | Low | Verified | Yes | +| [VM-12 - VMs should not have a Public IP directly associated](#vm-12---vms-should-not-have-a-public-ip-directly-associated) | Medium | Verified | Yes | +| [VM-13 - Virtual Network Interfaces have an NSG associated](#vm-13---vm-network-interfaces-have-a-network-security-group-nsg-associated) | Low | Verified | Yes | +| [VM-14 - IP Forwarding should only be enabled for Network Virtual Appliances](#vm-14---ip-forwarding-should-only-be-enabled-for-network-virtual-appliances) | Medium | Verified | Yes | +| [VM-15 - Customer DNS Servers should be configured in the Virtual Network level](#vm-15---dns-servers-should-be-configured-in-the-virtual-network-level) | Low | Verified | Yes | +| [VM-16 - Shared disks should only be enabled in Clustered servers](#vm-16---shared-disks-should-only-be-enabled-in-clustered-servers) | Medium | Verified | Yes | +| [VM-17 - The Network access to the VM disk is set to "Enable Public access from all networks"](#vm-17---network-access-to-the-vm-disk-should-be-set-to-disable-public-access-and-enable-private-access) | Low | Verified | Yes | +| [VM-18 - Virtual Machine is not compliant with Azure Policies](#vm-18---ensure-that-your-vms-are-compliant-with-azure-policies) | Low | Verified | Yes | +| [VM-19 - Enable disk encryption, Enable data at rest encryption by default](#vm-19---enable-disk-encryption-and-data-at-rest-encryption-by-default) | Medium | Verified | Yes | +| [VM-20 - Enable Insights to get more visibility into the health and performance of your virtual machine](#vm-20---enable-vm-insights) | Low | Verified | No | +| [VM-21 - Diagnostic Settings should be configured for all Azure Resources](#vm-21---configure-diagnostic-settings-for-all-azure-resources) | Low | Verified | Yes | +| [VM-22 - Use maintenance configurations for the Virtual Machine](#vm-22---use-maintenance-configurations-for-the-vms) | High | Preview | Yes | {{< /table >}} {{< alert style="info" >}} @@ -46,13 +46,18 @@ Definitions of states can be found [here]({{< ref "../../../_index.md#definition ## Recommendations Details -### VM-1 - Run production workloads on two or more VMs +### VM-1 - Run production workloads on two or more VMs using VMSS Flex + +**Category: Availability** **Impact: High** **Recommendation/Guidance** -To safeguard application workloads from downtime due to the temporary unavailability of a disk or VM, customers can use availability sets. Two or more virtual machines in an availability set provide redundancy for the application. Azure then creates these VMs and disks in separate fault domains with different power, network, and server components. Then, deploy multiple VMs in different Availability Zones, or put them into an Availability Set or Virtual Machine Scale Set, with a Load Balancer in front of them. +To safeguard application workloads from downtime due to the temporary unavailability of a disk or VM, it's recommended that you run production workloads on two or more VMs using VMSS Flex. To achieve this you can use: + +- Azure Virtual Machine Scale Sets to create and manage a group of load balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. +- Availability zones. **Resources** @@ -68,7 +73,9 @@ To safeguard application workloads from downtime due to the temporary unavailabi

-### VM-2 - Deploy Virtual Machines across Availability Zones +### VM-2 - Deploy VMs across Availability Zones + +**Category: Availability** **Impact: High** @@ -90,13 +97,20 @@ Azure Availability Zones are physically separate locations within each Azure reg

-### VM-3 - If AvailabilitySet is required, then put each application tier into a separate AvailabilitySet +### VM-3 - Migrate VMs using availability sets to VMSS Flex + +**Category: Availability** **Impact: High** **Recommendation/Guidance** -If the region where you are running your application doesn't support Availablity Zones, then put your VMs into an Availability Set. In an N-tier application, don't put VMs from different tiers into the same availability set. VMs in an availability set are placed across fault domains (FDs) and update domains (UD). However, to get the redundancy benefit of FDs and UDs, every VM in the availability set must be able to handle the same client requests. +Availability sets will be retired in the near future. Modernize your workloads by migrating them from VMs to VMSS Flex. With VMSS Flex, you can deploy your VMs in one of two ways: + +. Across zones +. In the same zone, but across fault domains (FDs) and update domains (UD) automatically. + +In an N-tier application, it's recommended that you place each application tier into its own VMSS Flex. **Resources** @@ -112,7 +126,9 @@ If the region where you are running your application doesn't support Availablity

-### VM-4 - Replicate Virtual Machines using Azure Site Recovery +### VM-4 - Replicate VMs using Azure Site Recovery + +**Category: Disaster Recovery** **Impact: Medium** @@ -135,7 +151,9 @@ When you replicate Azure VMs using Site Recovery, all the VM disks are continuou

-### VM-5 - Use Managed Disks for Virtual Machine disks +### VM-5 - Use Managed Disks for VM disks + +**Category: Availability** **Impact: High** @@ -160,6 +178,8 @@ Managed disks provide better reliability for VMs in an availability set, because ### VM-6 - Host application or database data on a data disk +**Category: System Efficiency** + **Impact: Low** **Recommendation/Guidance** @@ -180,13 +200,15 @@ A data disk is a managed disk that's attached to a virtual machine to store appl

-### VM-7 - Enable Backups on your Virtual Machines +### VM-7 - Backup VMs with Azure Backup service + +**Category: Disaster Recovery** **Impact: Medium** **Recommendation/Guidance** -Enable backups for your virtual machines and secure your data +Enable backups for your virtual machines to secure and quickly recover your data. The Azure Backup service provides simple, secure, and cost-effective solutions to back up your data and recover it from the Microsoft Azure cloud. **Resources** @@ -204,15 +226,23 @@ Enable backups for your virtual machines and secure your data ### VM-8 - Production VMs should be using SSD disks +**Category: System Efficiency** + **Impact: High** **Recommendation/Guidance** -We have identified that you are using standard hard disks with your premium-capable Virtual Machines and we recommend you consider upgrading the standard-hdd disks to standard-ssd or premium disks. For any Single Instance Virtual Machine using premium storage for all Operating System Disks and Data Disks, we guarantee you will have Virtual Machine Connectivity of at least 99.9%. Consider these factors when making your upgrade decision. The first is that upgrading requires a VM reboot and this process takes 3-5 minutes to complete. The second is if the VMs in the list are mission-critical production VMs, evaluate the improved availability against the cost of premium disks. +Premium SSD disks offer high-performance, low-latency disk support for I/O-intensive applications and production workloads. Standard SSD Disks are a cost-effective storage option optimized for workloads that need consistent performance at lower IOPS levels. -Premium SSD disks offer high-performance, low-latency disk support for I/O-intensive applications and production workloads. Standard SSD Disks are a cost effective storage option optimized for workloads that need consistent performance at lower IOPS levels. Use Standard HDD disks for Dev/Test scenarios and less critical workloads at lowest cost. +It is recommended that you: -Standard SSDs are acceptable for some Production workloads as well. Please refer to the reference link for more information. +- Use Standard HDD disks for Dev/Test scenarios and less critical workloads at lowest cost. +- Use Premium SSD disks instead of Standard HDD disks with your premium-capable VMs. For any Single Instance VM using premium storage for all Operating System Disks and Data Disks, Azure guarantees VM connectivity of at least 99.9%. + +If you want to upgrade from Standard HDD to Premium SSD disks, consider the following issues: + +- Upgrading requires a VM reboot and this process takes 3-5 minutes to complete. +- If VMs are mission-critical production VMs, evaluate the improved availability against the cost of premium disks. **Resources** @@ -228,7 +258,9 @@ Standard SSDs are acceptable for some Production workloads as well. Please refer

-### VM-9 - There are Virtual Machines in Stopped state +### VM-9 - Review VMs in stopped state + +**Category: Governance** **Impact: Low** @@ -250,7 +282,9 @@ Azure Virtual Machines (VM) instances go through different states. There are pro

-### VM-10 - Accelerated Networking is not enabled +### VM-10 - Enable Accelerated Networking (AccelNet) + +**Category: System Efficiency** **Impact: Medium** @@ -274,7 +308,9 @@ This configuration is not always required, evaluate this option according to the

-### VM-11 - Accelerated Networking is enabled, make sure you update the GuestOS NIC driver every 6 months +### VM-11 - When AccelNet is enabled, you must manually update the GuestOS NIC driver + +**Category: Governance** **Impact: Low** @@ -296,7 +332,9 @@ When Accelerated Networking is enabled the default Azure Virtual Network interfa

-### VM-12 - Virtual Machines should not have a Public IP directly associated +### VM-12 - VMs should not have a Public IP directly associated + +**Category: Access & Security** **Impact: Medium** @@ -318,7 +356,9 @@ If a Virtual Machine requires outbound internet connectivity we recommend the us

-### VM-13 - Virtual Network Interfaces have an NSG associated +### VM-13 - VM network interfaces have a Network Security Group (NSG) associated + +**Category: Access & Security** **Impact: Low** @@ -342,6 +382,8 @@ Unless you have a specific reason to, we recommend that you associate a network ### VM-14 - IP Forwarding should only be enabled for Network Virtual Appliances +**Category: Access & Security** + **Impact: Medium** **Recommendation/Guidance** @@ -368,7 +410,9 @@ The setting must be enabled for every network interface that is attached to the

-### VM-15 - Customer DNS Servers should be configured in the Virtual Network level +### VM-15 - DNS Servers should be configured in the Virtual Network level + +**Category: Storage** **Impact: Low** @@ -390,7 +434,9 @@ Configure the DNS Server in the Virtual Network to avoid inconsistency across th

-### VM-16 - Shared disks should only be enabled in Clustered servers +### VM-16 - Shared disks should only be enabled in clustered servers + +**Category: Storage** **Impact: Medium** @@ -412,7 +458,9 @@ Azure shared disks is a feature for Azure managed disks that enables you to atta

-### VM-17 - The Network access to the VM disk is set to "Enable Public access from all networks +### VM-17 - Network access to the VM disk should be set to "Disable public access and enable private access" + +**Category: Access & Security** **Impact: Low** @@ -434,7 +482,9 @@ Recommended changing to "Disable public access and enable private access" and cr

-### VM-18 - Virtual Machine is not compliant with Azure Policies +### VM-18 - Ensure that your VMs are compliant with Azure Policies + +**Category: Governance** **Impact: Low** @@ -457,7 +507,9 @@ It's important to keep your virtual machine (VM) secure for the applications tha

-### VM-19 - Enable disk encryption, Enable data at rest encryption by default +### VM-19 - Enable disk encryption and data at rest encryption by default + +**Category: Access & Security** **Impact: Medium** @@ -484,7 +536,9 @@ There are several types of encryption available for your managed disks, includin

-### VM-20 - Enable Insights to get more visibility into the health and performance of your virtual machine +### VM-20 - Enable VM Insights + +**Category: Monitoring** **Impact: Low** @@ -495,7 +549,7 @@ VM insights monitors the performance and health of your virtual machines and vir **Resources** - [Overview of VM insights](https://learn.microsoft.com/azure/azure-monitor/vm/vminsights-overview) -- [Did the extension install properly?](https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-troubleshoot#did-the-extension-install-properly) +- [Did the extension install properly?](https://learn.microsoft.com/azure/azure-monitor/vm/vminsights-troubleshoot#did-the-extension-install-properly) **Resource Graph Query/Scripts** @@ -507,7 +561,9 @@ VM insights monitors the performance and health of your virtual machines and vir

-### VM-21 - Diagnostic Settings should be configured for all Azure Resources +### VM-21 - Configure diagnostic settings for all Azure resources + +**Category: Monitoring** **Impact: Low** @@ -540,7 +596,9 @@ A single diagnostic setting can define no more than one of each of the destinati

-### VM-22 - Use maintenance configurations for the Virtual Machine +### VM-22 - Use maintenance configurations for the VMs + +**Category: Governance** **Impact: High** diff --git a/docs/content/services/compute/virtual-machines/code/vm-1/vm-1.kql b/docs/content/services/compute/virtual-machines/code/vm-1/vm-1.kql index 151e010a0..187c3c85d 100644 --- a/docs/content/services/compute/virtual-machines/code/vm-1/vm-1.kql +++ b/docs/content/services/compute/virtual-machines/code/vm-1/vm-1.kql @@ -1,6 +1,15 @@ // Azure Resource Graph Query -// Find all VMs that are not assigned to a Zone nor is associated with an AvailabilitySet -Resources +// Find single VMs per ResourceGroup and/or with unique naming convention. +// Customize the query to meet your naming standards, replace the "5" (prefix) with the number of characters you want to compare (name, 0, 5) +resources | where type =~ 'Microsoft.Compute/virtualMachines' -| where isnull(properties.availabilitySetReference) and isnull(properties.hardwareProfile.zone) -| project recommendationId = "vm-1", name, id +| extend vmPrefix = substring(name, 0, 5) +| project resourceGroup, vmPrefix, name, id +| summarize VMCount = count() by resourceGroup, vmPrefix +| where VMCount == 1 +| join kind=leftouter ( + resources + | where type =~ 'Microsoft.Compute/virtualMachines' + | project resourceGroup, name, id +)on resourceGroup +| project recommendationId = "vm-1", name, id, resourceGroup diff --git a/docs/content/services/compute/virtual-machines/code/vm-2/vm-2.kql b/docs/content/services/compute/virtual-machines/code/vm-2/vm-2.kql index 8583fe73a..3d593194e 100644 --- a/docs/content/services/compute/virtual-machines/code/vm-2/vm-2.kql +++ b/docs/content/services/compute/virtual-machines/code/vm-2/vm-2.kql @@ -3,4 +3,4 @@ Resources | where type =~ 'Microsoft.Compute/virtualMachines' | where isnull(zones) -| project recommendationId = "vm-2", name, id +| project recommendationId = "vm-2", name, id, Zones="No Zone" diff --git a/docs/content/services/compute/virtual-machines/code/vm-21/vm-21.kql b/docs/content/services/compute/virtual-machines/code/vm-21/vm-21.kql index c6fec4b4d..7b5bb5473 100644 --- a/docs/content/services/compute/virtual-machines/code/vm-21/vm-21.kql +++ b/docs/content/services/compute/virtual-machines/code/vm-21/vm-21.kql @@ -1 +1 @@ -under development +// under development diff --git a/docs/content/services/compute/virtual-machines/code/vm-22/vm-22.kql b/docs/content/services/compute/virtual-machines/code/vm-22/vm-22.kql index 6aa888abc..97eeeb834 100644 --- a/docs/content/services/compute/virtual-machines/code/vm-22/vm-22.kql +++ b/docs/content/services/compute/virtual-machines/code/vm-22/vm-22.kql @@ -1,6 +1,5 @@ -// Start with a list of VMs, format the resourceId in lowercase for joining to the maintenanceresources later -// Do the join with mainteinanceresources looking specifically for configurationassignments -// Filter to only return resources that have no maintenance configuration assigned +// Azure Resource Graph Query +// Find VMS that do not have maintenance configuration assigned Resources | extend resourceId = tolower(id) | project name, location, type, id, resourceId, properties @@ -12,5 +11,5 @@ maintenanceresources | extend resourceId = tostring(maintenanceProps.resourceId) ) on resourceId | where isnull(maintenanceProps) -| project recommendationId = "vm-22",name, location, type, id, properties +| project recommendationId = "vm-22",name, id | order by id asc diff --git a/docs/content/services/compute/virtual-machines/code/vm-3/vm-3.kql b/docs/content/services/compute/virtual-machines/code/vm-3/vm-3.kql index 9c5c7fb9a..2752f92fb 100644 --- a/docs/content/services/compute/virtual-machines/code/vm-3/vm-3.kql +++ b/docs/content/services/compute/virtual-machines/code/vm-3/vm-3.kql @@ -4,7 +4,7 @@ Resources | where type =~ 'Microsoft.Compute/virtualMachines' | where isnotnull(properties.availabilitySet) -| extend vmPrefix = substring(properties.osProfile.computerName, 0, 5) +| extend vmPrefix = substring(name, 0, 5) | summarize VMs = make_set(vmPrefix) by availabilitySet = tostring(properties.availabilitySet.id) | where array_length(VMs) > 1 | extend availabilitySetName = tostring(split(availabilitySet, '/')[8]) diff --git a/docs/content/services/compute/virtual-machines/code/vm-4/vm-4.kql b/docs/content/services/compute/virtual-machines/code/vm-4/vm-4.kql index 7756589ac..260f61994 100644 --- a/docs/content/services/compute/virtual-machines/code/vm-4/vm-4.kql +++ b/docs/content/services/compute/virtual-machines/code/vm-4/vm-4.kql @@ -3,5 +3,5 @@ Resources | where type =~ 'Microsoft.Compute/virtualMachines' | where isnotnull(properties.extended.instanceView) -| where not(properties.extended.instanceView.replicationState == 'Replicating') +| where properties.extended.instanceView.replicationState != 'Replicating' | project recommendationId = "vm-4", name, id From 8a84876dd8053f02e416e0879fbdef23638901bd Mon Sep 17 00:00:00 2001 From: Rodrigo Santos Date: Mon, 18 Sep 2023 16:29:45 -0400 Subject: [PATCH 2/6] updating-vmss-9-18-2023-1 --- .../virtual-machine-scale-sets/_index.md | 166 +++++++++++++----- .../code/vmss-1/vmss-1.kql | 10 +- .../code/vmss-2/vmss-2.kql | 3 + .../code/vmss-3/vmss-3.kql | 3 + .../code/vmss-4/vmss-4.kql | 14 +- .../code/vmss-5/vmss-5.kql | 14 +- .../code/vmss-6/vmss-6.kql | 7 +- .../code/vmss-7/vmss-7.kql | 7 + .../code/vmss-8/vmss-8.kql | 7 + .../code/vmss-9/vmss-9.kql | 5 + 10 files changed, 183 insertions(+), 53 deletions(-) create mode 100644 docs/content/services/compute/virtual-machine-scale-sets/code/vmss-7/vmss-7.kql create mode 100644 docs/content/services/compute/virtual-machine-scale-sets/code/vmss-8/vmss-8.kql create mode 100644 docs/content/services/compute/virtual-machine-scale-sets/code/vmss-9/vmss-9.kql diff --git a/docs/content/services/compute/virtual-machine-scale-sets/_index.md b/docs/content/services/compute/virtual-machine-scale-sets/_index.md index e88bb2320..a29fd0330 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/_index.md +++ b/docs/content/services/compute/virtual-machine-scale-sets/_index.md @@ -12,14 +12,17 @@ The presented resiliency recommendations in this guidance include Virtual Machin ## Summary of Recommendations {{< table style="table-striped" >}} -| Recommendation | Impact | State | ARG Query Available | -| :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :----: | :-----: | :-----------------: | -| [VMSS-1 - Deploy using Flexible scale set instead of simple Virtual Machines](#vmss-1---deploy-using-flexible-scale-set-instead-of-simple-virtual-machines) | Medium | Preview | No | -| [VMSS-2 - Protection Policy is disabled for all VMSS instances](#vmss-2---protection-policy-is-disabled-for-all-vmss-instances) | Low | Preview | No | -| [VMSS-3 - VMSS Application health monitoring is not enabled](#vmss-3---vmss-application-health-monitoring-is-not-enabled) | Medium | Preview | No | -| [VMSS-4 - Automatic repair policy is not enabled](#vmss-4---automatic-repair-policy-is-not-enabled) | High | Preview | No | -| [VMSS-5 - VMSS Autoscale is set to Manual scale](#vmss-5---vmss-autoscale-is-set-to-manual-scale) | High | Preview | No | -| [VMSS-6 - VMSS Custom scale-in policies is not set to default](#vmss-6---vmss-custom-scale-in-policies-is-not-set-to-default) | Low | Preview | No | +| Recommendation | Impact | State | ARG Query Available | +| :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----: | :-----: | :-----------------: | +| [VMSS-1 - Deploy VMSSs with Flex orchestration mode instead of Uniform](#vmss-1---deploy-vmsss-with-flex-orchestration-mode-instead-of-uniform) | Medium | Preview | No | +| [VMSS-2 - Enable Virtual Machine Scale Sets application health monitoring](#vmss-2---enable-virtual-machine-scale-sets-application-health-monitoring) | Low | Preview | No | +| [VMSS-3 - Enable Automatic repair policy](#vmss-3---enable-automatic-repair-policy) | High | Preview | No | +| [VMSS-4 - Configure Virtual Machine Scale Sets Autoscale to Custom and configure the scaling metrics](#vmss-4---configure-virtual-machine-scale-sets-autoscale-to-custom-and-configure-the-scaling-metrics) | High | Preview | No | +| [VMSS-5 - Enable Predictive autoscale and configure at least for Forecast Only](#vmss-5---enable-predictive-autoscale-and-configure-at-least-for-forecast-only) | Low | Preview | No | +| [VMSS-6 - Disable Force strictly even balance across zones to avoid scale in and out fail attempts](#vmss-6---disable-force-strictly-even-balance-across-zones-to-avoid-scale-in-and-out-fail-attempts) | Low | Preview | No | +| [VMSS-7 - Configure Allocation Policy Spreading algorithm to Max Spreading](#vmss-7---configure-allocation-policy-spreading-algorithm-to-max-spreading) | Low | Preview | No | +| [VMSS-8 - Deploy VMSS across availability zones with VMSS Flex](#vmss-8---deploy-vmss-across-availability-zones-with-vmss-flex) | Low | Preview | No | +| [VMSS-9 - Set Patch orchestration options to Azure-orchestrated](#vmss-9---set-patch-orchestration-options-to-azure-orchestrated) | Low | Preview | No | {{< /table >}} {{< alert style="info" >}} @@ -30,7 +33,7 @@ Definitions of states can be found [here]({{< ref "../../../_index.md#definition ## Recommendations Details -### VMSS-1 - Deploy using Flexible scale set instead of simple Virtual Machines +### VMSS-1 - Deploy VMSSs with Flex orchestration mode instead of Uniform **Impact: Medium** @@ -41,8 +44,7 @@ Even single instance VMs should be deployed into a scale set using the Flexible **Resources** - [When to use VMSS instead of VMs](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-design-overview#when-to-use-scale-sets-instead-of-virtual-machines) -- [Azure Well-Architected Framework review - Virtual Machines and Scale Setgs](https://learn.microsoft.com/azure/well-architected/services/compute/virtual-machines/virtual-machines-review) -- [Azure Well-Architected Framework review - Virtual Machines](https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview#why-use-virtual-machine-scale-sets) +- [Azure Well-Architected Framework review - Virtual Machines and Scale Sets](https://learn.microsoft.com/azure/well-architected/services/compute/virtual-machines/virtual-machines-review) **Resource Graph Query/Scripts** @@ -54,19 +56,19 @@ Even single instance VMs should be deployed into a scale set using the Flexible

-### VMSS-2 - Protection Policy is disabled for all VMSS instances +### VMSS-2 - Enable Virtual Machine Scale Sets application health monitoring -**Impact: Low** +**Category: Monitoring** -**Recommendation/Guidance** +**Impact: Medium** -Use VMSS Protection Policy in case you want specific instances to be treated differently from the rest of the scale set instance. +**Recommendation/Guidance** -As your application processes traffic, there can be situations where you want specific instances to be treated differently from the rest of the scale set instance. For example, certain instances in the scale set could be performing long-running operations, and you don't want these instances to be scaled-in until the operations complete. You might also have specialized a few instances in the scale set to perform additional or different tasks than the other members of the scale set. You require these 'special' VMs not to be modified with the other instances in the scale set. Instance protection provides the additional controls to enable these and other scenarios for your application. +Monitoring your application health is an important signal for managing and upgrading your deployment. Azure Virtual Machine Scale Sets provide support for Rolling Upgrades including Automatic OS-Image Upgrades and Automatic VM Guest Patching, which rely on health monitoring of the individual instances to upgrade your deployment. You can also use Application Health Extension to monitor the application health of each instance in your scale set and perform instance repairs using Automatic Instance Repairs. **Resources** -- [Instance Protection for Azure Virtual Machine Scale Set instances](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-instance-protection) +- [Using Application Health extension with Virtual Machine Scale Sets](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-health-extension?tabs=rest-api) **Resource Graph Query/Scripts** @@ -78,17 +80,21 @@ As your application processes traffic, there can be situations where you want sp

-### VMSS-3 - VMSS Application health monitoring is not enabled +### VMSS-3 - Enable Automatic repair policy -**Impact: Medium** +**Category: Automation** + +**Impact: High** **Recommendation/Guidance** -Monitoring your application health is an important signal for managing and upgrading your deployment. Azure Virtual Machine Scale Sets provide support for Rolling Upgrades including Automatic OS-Image Upgrades and Automatic VM Guest Patching, which rely on health monitoring of the individual instances to upgrade your deployment. You can also use Application Health Extension to monitor the application health of each instance in your scale set and perform instance repairs using Automatic Instance Repairs. +Enabling automatic instance repairs for Azure Virtual Machine Scale Sets helps achieve high availability for applications by maintaining a set of healthy instances. The Application Health extension or Load balancer health probes may find that an instance is unhealthy. Automatic instance repairs will automatically perform instance repairs by deleting the unhealthy instance and creating a new one to replace it. + +Grace period is specified in minutes in ISO 8601 format and can be set using the property automaticRepairsPolicy.gracePeriod. Grace period can range between 10 minutes and 90 minutes, and has a default value of 30 minutes. **Resources** -- [Using Application Health extension with Virtual Machine Scale Sets](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-health-extension?tabs=rest-api) +- [Automatic instance repairs for Azure Virtual Machine Scale Sets](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs#requirements-for-using-automatic-instance-repairs) **Resource Graph Query/Scripts** @@ -100,19 +106,22 @@ Monitoring your application health is an important signal for managing and upgra

-### VMSS-4 - Automatic repair policy is not enabled +### VMSS-4 - Configure Virtual Machine Scale Sets Autoscale to Custom and configure the scaling metrics + +**Category: System Efficiency** **Impact: High** -**Recommendation/Guidance** +**Recommendation** -Enabling automatic instance repairs for Azure Virtual Machine Scale Sets helps achieve high availability for applications by maintaining a set of healthy instances. The Application Health extension or Load balancer health probes may find that an instance is unhealthy. Automatic instance repairs will automatically perform instance repairs by deleting the unhealthy instance and creating a new one to replace it. +Use Custom autoscale based on metrics and schedules. -Grace period is specified in minutes in ISO 8601 format and can be set using the property automaticRepairsPolicy.gracePeriod. Grace period can range between 10 minutes and 90 minutes, and has a default value of 30 minutes. +Autoscale is a built-in feature that helps applications perform their best when demand changes. You can choose to scale your resource manually to a specific instance count, or via a custom Autoscale policy that scales based on metric(s) thresholds, or schedule instance count which scales during designated time windows. Autoscale enables your resource to be performant and cost effective by adding and removing instances based on demand. **Resources** -- [Automatic instance repairs for Azure Virtual Machine Scale Sets](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs#requirements-for-using-automatic-instance-repairs) +- [Get started with autoscale in Azure](https://learn.microsoft.com/azure/azure-monitor/autoscale/autoscale-get-started?WT.mc_id=Portal-Microsoft_Azure_Monitoring) +- [Overview of autoscale in Azure](https://learn.microsoft.com/azure/azure-monitor/autoscale/autoscale-overview) **Resource Graph Query/Scripts** @@ -124,20 +133,19 @@ Grace period is specified in minutes in ISO 8601 format and can be set using the

-### VMSS-5 - VMSS Autoscale is set to Manual scale +### VMSS-5 - Enable Predictive autoscale and configure at least for Forecast Only -**Impact: High** +**Category: System Efficiency** -**Recommendation** +**Impact: Low** -Use Custom autoscale based on metrics and schedules. +**Recommendation/Guidance** -Autoscale is a built-in feature that helps applications perform their best when demand changes. You can choose to scale your resource manually to a specific instance count, or via a custom Autoscale policy that scales based on metric(s) thresholds, or schedule instance count which scales during designated time windows. Autoscale enables your resource to be performant and cost effective by adding and removing instances based on demand. +Predictive autoscale uses machine learning to help manage and scale Azure Virtual Machine Scale Sets with cyclical workload patterns. It forecasts the overall CPU load to your virtual machine scale set, based on your historical CPU usage patterns. It predicts the overall CPU load by observing and learning from historical usage. This process ensures that scale-out occurs in time to meet the demand. **Resources** -- [Get started with autoscale in Azure](https://learn.microsoft.com/azure/azure-monitor/autoscale/autoscale-get-started?WT.mc_id=Portal-Microsoft_Azure_Monitoring) -- [Overview of autoscale in Azure](https://learn.microsoft.com/azure/azure-monitor/autoscale/autoscale-overview) +- [Use predictive autoscale to scale out before load demands in virtual machine scale sets](https://learn.microsoft.com/azure/azure-monitor/autoscale/autoscale-predictive) **Resource Graph Query/Scripts** @@ -149,35 +157,103 @@ Autoscale is a built-in feature that helps applications perform their best when

-### VMSS-6 - VMSS Custom scale-in policies is not set to default +### VMSS-6 - Disable Force strictly even balance across zones to avoid scale in and out fail attempts -**Impact: Low** +**Category: Availability** + +**Impact: High** **Recommendation/Guidance** -The default custom scale-in policy provides the best algorithm and flexibility for the majority of the scenarios. Use the Newest and Oldest policies when workload requires oldest or newest VMs to be deleted. +Microsoft recommends disabling the setting that enforces strictly even distribution of VM instances across Availability Zones within a region in your VMSS configuration. In other words, you should allow Azure to distribute VM instances unevenly across Availability Zones. -A Virtual Machine Scale Set deployment can be scaled-out or scaled-in based on an array of metrics, including platform and user-defined custom metrics. While a scale-out creates new virtual machines based on the scale set model, a scale-in affects running virtual machines that may have different configurations and/or functions as the scale set workload evolves. +Force strictly even balance across zones: Azure provides the option to distribute VM instances in a VMSS evenly across Availability Zones within a region. An Availability Zone is a physically separate data center within an Azure region with independent power, cooling, and networking. This configuration enhances the availability and fault tolerance of your applications. -Users do not need to specify a scale-in policy if they just want the default ordering to be followed. +Scale in and out fail attempts: In the context of VMSS, "scaling in" refers to reducing the number of VM instances when demand decreases, while "scaling out" refers to increasing the number of instances when demand increases. Scaling is an important feature of VMSS, and it can be automatic based on various scaling rules and metrics. -Note that balancing across availability zones or fault domains does not move instances across availability zones or fault domains. The balancing is achieved through deletion of virtual machines from the unbalanced availability zones or fault domains until the distribution of virtual machines becomes balanced. +While Azure VMSS provides the option to enforce even distribution of VM instances across Availability Zones for increased resilience, there may be scenarios where disabling this option makes sense to better align with your application's load distribution and scaling requirements. -The scale-in policy feature provides users a way to configure the order in which virtual machines are scaled-in, by way of three scale-in configurations: +**Resources** + +- [Use scale-in policies with Azure Virtual Machine Scale Sets](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-scale-in-policy) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} -- Default -- NewestVM -- OldestVM +{{< code lang="sql" file="code/vmss-6/vmss-6.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### VMSS-7 - Configure Allocation Policy Spreading algorithm to Max Spreading + +**Category: System Efficiency** + +**Impact: Medium** + +**Recommendation/Guidance** + +With max spreading, the scale set spreads your VMs across as many fault domains as possible within each zone. This spreading could be across greater or fewer than five fault domains per zone. With static fixed spreading, the scale set spreads your VMs across exactly five fault domains per zone. If the scale set cannot find five distinct fault domains per zone to satisfy the allocation request, the request fails. **Resources** -- [Use custom scale-in policies with Azure Virtual Machine Scale Sets](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-scale-in-policy?WT.mc_id=Portal-Microsoft_Azure_Monitoring) +- [Availability Considerations](https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones#availability-considerations) **Resource Graph Query/Scripts** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/vmss-6/vmss-6.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/vmss-7/vmss-7.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### VMSS-8 - Deploy VMSS across availability zones with VMSS Flex + +**Category: Availability** + +**Impact: High** + +**Recommendation/Guidance** + +When you create your VMSS, use availability zones to protect your applications and data against unlikely datacenter failure. + +**Resources** + +- [Create a Virtual Machine Scale Set that uses Availability Zones](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/vmss-8/vmss-8.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### VMSS-9 - Set Patch orchestration options to Azure-orchestrated + +**Category: Automation** + +**Impact: Low** + +**Recommendation/Guidance** + +Enabling automatic VM guest patching for your Azure VMs helps ease update management by safely and automatically patching virtual machines to maintain security compliance, while limiting the blast radius of VMs. + +**Resources** + +- [Automatic VM Guest Patching for Azure VMs](https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/vmss-9/vmss-9.kql" >}} {{< /code >}} {{< /collapse >}} diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-1/vmss-1.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-1/vmss-1.kql index 9ebfdaac9..708448e54 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-1/vmss-1.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-1/vmss-1.kql @@ -1,6 +1,6 @@ // Azure Resource Graph Query -// Find all zonal VMs that are not deployed in a VMSS -Resources -| where type =~ 'Microsoft.Compute/virtualMachines' -| where isnull(zones) == false and isnull(properties.virtualMachineScaleSet) -| project recommendationId = "vmss-1", name, id +// Find all zonal VMs that are NOT deployed with Flex orchestration mode +resources +| where type == "microsoft.compute/virtualmachinescalesets" +| where properties.orchestrationMode != "Flexible" +| project recommendationId = "vmss-1", name, id, orchestrationMode = strcat("orchestrationMode: ", tostring(properties.orchestrationMode)) diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-2/vmss-2.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-2/vmss-2.kql index 5e039f9a0..e3793569b 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-2/vmss-2.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-2/vmss-2.kql @@ -1,2 +1,5 @@ // Azure Resource Graph Query // Under development +//resources +//| where type == "microsoft.compute/virtualmachinescalesets" +//| project recommendationId = "vmss-2", name, id diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-3/vmss-3.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-3/vmss-3.kql index 5e039f9a0..e3793569b 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-3/vmss-3.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-3/vmss-3.kql @@ -1,2 +1,5 @@ // Azure Resource Graph Query // Under development +//resources +//| where type == "microsoft.compute/virtualmachinescalesets" +//| project recommendationId = "vmss-2", name, id diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-4/vmss-4.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-4/vmss-4.kql index 5e039f9a0..4e7ed19b1 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-4/vmss-4.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-4/vmss-4.kql @@ -1,2 +1,14 @@ // Azure Resource Graph Query -// Under development +// Find VMSS instances associated with autoscale settings when autoscale is disabled +resources +| where type == "microsoft.compute/virtualmachinescalesets" +| project name, id +| join kind=leftouter ( + resources + | where type == "microsoft.insights/autoscalesettings" + | where tostring(properties.targetResourceUri) contains "Microsoft.Compute/virtualMachineScaleSets" + | project id = tostring(properties.targetResourceUri), autoscalesettings = properties +) on id +| where isnull(autoscalesettings) or autoscalesettings.enabled == "false" +| project recommendationId = "vmss-4", name, id, autoscalesettings = "autoscalesettings: Manual" +| order by id asc diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-5/vmss-5.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-5/vmss-5.kql index 5e039f9a0..44529526f 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-5/vmss-5.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-5/vmss-5.kql @@ -1,2 +1,14 @@ // Azure Resource Graph Query -// Under development +// Find VMSS instances associated with autoscale settings when predictiveAutoscalePolicy_scaleMode is disabled +resources +| where type == "microsoft.compute/virtualmachinescalesets" +| project name, id +| join kind=leftouter ( + resources + | where type == "microsoft.insights/autoscalesettings" + | where tostring(properties.targetResourceUri) contains "Microsoft.Compute/virtualMachineScaleSets" + | project id = tostring(properties.targetResourceUri), autoscalesettings = properties +) on id +| where isnull(autoscalesettings) or autoscalesettings.enabled == "disabled" and autoscalesettings.predictiveAutoscalePolicy.scaleMode == "Disabled" +| project recommendationId = "vmss-5", name, id, predictiveAutoscalePolicy_scaleMode = "predictiveAutoscalePolicy_scaleMode: Disabled" +| order by id asc diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-6/vmss-6.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-6/vmss-6.kql index 5e039f9a0..d21591ba6 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-6/vmss-6.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-6/vmss-6.kql @@ -1,2 +1,7 @@ // Azure Resource Graph Query -// Under development +// Find VMSS instances where strictly zoneBalance is set to True +resources +| where type == "microsoft.compute/virtualmachinescalesets" +| where properties.orchestrationMode == "Uniform" and properties.zoneBalance == "True" +| project recommendationId = "vmss-6", name, id, zoneBalance = "strictly zoneBalance: Enabled" +| order by id asc diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-7/vmss-7.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-7/vmss-7.kql new file mode 100644 index 000000000..d2570e479 --- /dev/null +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-7/vmss-7.kql @@ -0,0 +1,7 @@ +// Azure Resource Graph Query +// Find VMSS instances where Spreading algorithm is set to Static +resources +| where type == "microsoft.compute/virtualmachinescalesets" +| where properties.platformFaultDomainCount > 1 +| project recommendationId = "vmss-7", name, id, platformFaultDomainCount = "platformFaultDomainCount: Static" +| order by id asc diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-8/vmss-8.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-8/vmss-8.kql new file mode 100644 index 000000000..14afd2ec0 --- /dev/null +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-8/vmss-8.kql @@ -0,0 +1,7 @@ +// Azure Resource Graph Query +// Find VMSS instances with one or no Zones selected +resources +| where type == "microsoft.compute/virtualmachinescalesets" +| where array_length(zones) <= 1 or isnull(zones) +| project recommendationId = "vmss-8", name, id, AvailabilityZones = "AvailabilityZones: Single Zone" +| order by id asc diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-9/vmss-9.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-9/vmss-9.kql new file mode 100644 index 000000000..e3793569b --- /dev/null +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-9/vmss-9.kql @@ -0,0 +1,5 @@ +// Azure Resource Graph Query +// Under development +//resources +//| where type == "microsoft.compute/virtualmachinescalesets" +//| project recommendationId = "vmss-2", name, id From 6673129b6826592d3aabce30d1ca38b1cc80853f Mon Sep 17 00:00:00 2001 From: Rodrigo Santos Date: Mon, 18 Sep 2023 18:57:32 -0400 Subject: [PATCH 3/6] updates --- .../virtual-machine-scale-sets/_index.md | 24 +++++++++---------- .../code/vmss-2/vmss-2.kql | 2 +- .../code/vmss-3/vmss-3.kql | 4 ++-- .../code/vmss-9/vmss-9.kql | 4 ++-- .../load-balancer/code/lb-1/lb-1.azcli | 1 - .../load-balancer/code/lb-1/lb-1.kql | 6 +++-- .../load-balancer/code/lb-1/lb-1.ps1 | 1 - .../load-balancer/code/lb-2/lb-2.azcli | 1 - .../load-balancer/code/lb-2/lb-2.kql | 22 ++++++++--------- .../load-balancer/code/lb-2/lb-2.ps1 | 1 - .../load-balancer/code/lb-3/lb-3.azcli | 1 - .../load-balancer/code/lb-3/lb-3.kql | 13 ++++------ .../load-balancer/code/lb-3/lb-3.ps1 | 1 - .../virtual-networks/code/vnet-1/vnet-1.kql | 11 +++++---- .../virtual-networks/code/vnet-2/vnet-2.kql | 6 +++-- .../virtual-networks/code/vnet-3/vnet-3.kql | 9 +++++-- 16 files changed, 54 insertions(+), 53 deletions(-) delete mode 100644 docs/content/services/networking/load-balancer/code/lb-1/lb-1.azcli delete mode 100644 docs/content/services/networking/load-balancer/code/lb-1/lb-1.ps1 delete mode 100644 docs/content/services/networking/load-balancer/code/lb-2/lb-2.azcli delete mode 100644 docs/content/services/networking/load-balancer/code/lb-2/lb-2.ps1 delete mode 100644 docs/content/services/networking/load-balancer/code/lb-3/lb-3.azcli delete mode 100644 docs/content/services/networking/load-balancer/code/lb-3/lb-3.ps1 diff --git a/docs/content/services/compute/virtual-machine-scale-sets/_index.md b/docs/content/services/compute/virtual-machine-scale-sets/_index.md index a29fd0330..cb5d65b4d 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/_index.md +++ b/docs/content/services/compute/virtual-machine-scale-sets/_index.md @@ -14,14 +14,14 @@ The presented resiliency recommendations in this guidance include Virtual Machin {{< table style="table-striped" >}} | Recommendation | Impact | State | ARG Query Available | | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----: | :-----: | :-----------------: | -| [VMSS-1 - Deploy VMSSs with Flex orchestration mode instead of Uniform](#vmss-1---deploy-vmsss-with-flex-orchestration-mode-instead-of-uniform) | Medium | Preview | No | -| [VMSS-2 - Enable Virtual Machine Scale Sets application health monitoring](#vmss-2---enable-virtual-machine-scale-sets-application-health-monitoring) | Low | Preview | No | -| [VMSS-3 - Enable Automatic repair policy](#vmss-3---enable-automatic-repair-policy) | High | Preview | No | -| [VMSS-4 - Configure Virtual Machine Scale Sets Autoscale to Custom and configure the scaling metrics](#vmss-4---configure-virtual-machine-scale-sets-autoscale-to-custom-and-configure-the-scaling-metrics) | High | Preview | No | -| [VMSS-5 - Enable Predictive autoscale and configure at least for Forecast Only](#vmss-5---enable-predictive-autoscale-and-configure-at-least-for-forecast-only) | Low | Preview | No | -| [VMSS-6 - Disable Force strictly even balance across zones to avoid scale in and out fail attempts](#vmss-6---disable-force-strictly-even-balance-across-zones-to-avoid-scale-in-and-out-fail-attempts) | Low | Preview | No | -| [VMSS-7 - Configure Allocation Policy Spreading algorithm to Max Spreading](#vmss-7---configure-allocation-policy-spreading-algorithm-to-max-spreading) | Low | Preview | No | -| [VMSS-8 - Deploy VMSS across availability zones with VMSS Flex](#vmss-8---deploy-vmss-across-availability-zones-with-vmss-flex) | Low | Preview | No | +| [VMSS-1 - Deploy VMSSs with Flex orchestration mode instead of Uniform](#vmss-1---deploy-vmss-with-flex-orchestration-mode-instead-of-uniform) | Medium | Preview | Yes | +| [VMSS-2 - Enable VMSS application health monitoring](#vmss-2---enable-vmss-application-health-monitoring) | Medium | Preview | No | +| [VMSS-3 - Enable Automatic Repair policy](#vmss-3---enable-automatic-repair-policy) | High | Preview | No | +| [VMSS-4 - Configure VMSS autoscale to custom and configure the scaling metrics](#vmss-4---configure-vmss-autoscale-to-custom-and-configure-the-scaling-metrics) | High | Preview | Yes | +| [VMSS-5 - Enable Predictive Autoscale and configure at least for Forecast Only](#vmss-5---enable-predictive-autoscale-and-configure-at-least-for-forecast-only) | Low | Preview | Yes | +| [VMSS-6 - Disable Force strictly even balance across zones to avoid scale in and out fail attempts](#vmss-6---disable-force-strictly-even-balance-across-zones-to-avoid-scale-in-and-out-fail-attempts) | High | Preview | Yes | +| [VMSS-7 - Configure Allocation Policy Spreading algorithm to Max Spreading](#vmss-7---configure-allocation-policy-spreading-algorithm-to-max-spreading) | Medium | Preview | Yes | +| [VMSS-8 - Deploy VMSS across availability zones with VMSS Flex](#vmss-8---deploy-vmss-across-availability-zones-with-vmss-flex) | High | Preview | Yes | | [VMSS-9 - Set Patch orchestration options to Azure-orchestrated](#vmss-9---set-patch-orchestration-options-to-azure-orchestrated) | Low | Preview | No | {{< /table >}} @@ -33,7 +33,7 @@ Definitions of states can be found [here]({{< ref "../../../_index.md#definition ## Recommendations Details -### VMSS-1 - Deploy VMSSs with Flex orchestration mode instead of Uniform +### VMSS-1 - Deploy VMSS with Flex orchestration mode instead of Uniform **Impact: Medium** @@ -56,7 +56,7 @@ Even single instance VMs should be deployed into a scale set using the Flexible

-### VMSS-2 - Enable Virtual Machine Scale Sets application health monitoring +### VMSS-2 - Enable VMSS application health monitoring **Category: Monitoring** @@ -80,7 +80,7 @@ Monitoring your application health is an important signal for managing and upgra

-### VMSS-3 - Enable Automatic repair policy +### VMSS-3 - Enable Automatic Repair policy **Category: Automation** @@ -106,7 +106,7 @@ Grace period is specified in minutes in ISO 8601 format and can be set using the

-### VMSS-4 - Configure Virtual Machine Scale Sets Autoscale to Custom and configure the scaling metrics +### VMSS-4 - Configure VMSS Autoscale to custom and configure the scaling metrics **Category: System Efficiency** diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-2/vmss-2.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-2/vmss-2.kql index e3793569b..91c74cc3a 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-2/vmss-2.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-2/vmss-2.kql @@ -1,5 +1,5 @@ // Azure Resource Graph Query // Under development -//resources +// resources //| where type == "microsoft.compute/virtualmachinescalesets" //| project recommendationId = "vmss-2", name, id diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-3/vmss-3.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-3/vmss-3.kql index e3793569b..913fa4536 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-3/vmss-3.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-3/vmss-3.kql @@ -1,5 +1,5 @@ // Azure Resource Graph Query // Under development -//resources +// resources //| where type == "microsoft.compute/virtualmachinescalesets" -//| project recommendationId = "vmss-2", name, id +//| project recommendationId = "vmss-3", name, id diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-9/vmss-9.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-9/vmss-9.kql index e3793569b..913fa4536 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-9/vmss-9.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-9/vmss-9.kql @@ -1,5 +1,5 @@ // Azure Resource Graph Query // Under development -//resources +// resources //| where type == "microsoft.compute/virtualmachinescalesets" -//| project recommendationId = "vmss-2", name, id +//| project recommendationId = "vmss-3", name, id diff --git a/docs/content/services/networking/load-balancer/code/lb-1/lb-1.azcli b/docs/content/services/networking/load-balancer/code/lb-1/lb-1.azcli deleted file mode 100644 index 53d6ce9b0..000000000 --- a/docs/content/services/networking/load-balancer/code/lb-1/lb-1.azcli +++ /dev/null @@ -1 +0,0 @@ -az resource list --resource-type "Micosoft.Example/changeMe" | jq . diff --git a/docs/content/services/networking/load-balancer/code/lb-1/lb-1.kql b/docs/content/services/networking/load-balancer/code/lb-1/lb-1.kql index f7f2b7372..350db5450 100644 --- a/docs/content/services/networking/load-balancer/code/lb-1/lb-1.kql +++ b/docs/content/services/networking/load-balancer/code/lb-1/lb-1.kql @@ -1,5 +1,7 @@ +// Azure Resource Graph Query +// Find all LoadBalancers using Basic SKU resources | where type =~ 'Microsoft.Network/loadbalancers' | extend sku = tostring(sku.name) -| where sku != 'Standard' -| project id,name,resourceGroup,subscriptionId,sku +| where sku == 'Basic' +| project recommendationId = "lb-1", name, id, sku diff --git a/docs/content/services/networking/load-balancer/code/lb-1/lb-1.ps1 b/docs/content/services/networking/load-balancer/code/lb-1/lb-1.ps1 deleted file mode 100644 index d9007ae40..000000000 --- a/docs/content/services/networking/load-balancer/code/lb-1/lb-1.ps1 +++ /dev/null @@ -1 +0,0 @@ -Get-AzResource -ResourceType "Micrsoft.Example/changeMe" | Select-Object name, location, resourceGroup, properties diff --git a/docs/content/services/networking/load-balancer/code/lb-2/lb-2.azcli b/docs/content/services/networking/load-balancer/code/lb-2/lb-2.azcli deleted file mode 100644 index 53d6ce9b0..000000000 --- a/docs/content/services/networking/load-balancer/code/lb-2/lb-2.azcli +++ /dev/null @@ -1 +0,0 @@ -az resource list --resource-type "Micosoft.Example/changeMe" | jq . diff --git a/docs/content/services/networking/load-balancer/code/lb-2/lb-2.kql b/docs/content/services/networking/load-balancer/code/lb-2/lb-2.kql index cba2115d2..e36a3bcc6 100644 --- a/docs/content/services/networking/load-balancer/code/lb-2/lb-2.kql +++ b/docs/content/services/networking/load-balancer/code/lb-2/lb-2.kql @@ -1,16 +1,16 @@ // Azure Resource Graph Query -// Find all LoadBalancers which only have 1 backend pool defined -Resources +// Find all LoadBalancers which only have 1 backend pool defined or only 1 VM in the backend pool +resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 -| project recommendationId = "lb-2", name, id, BackEndPools, BackendAddresses=0 -| union (Resources -| where type =~ 'Microsoft.Network/loadBalancers' -| extend bep = properties.backendAddressPools -| extend BackEndPools = array_length(bep) -| mv-expand bip = properties.backendAddressPools -| extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) -| where BackendAddresses <= 1 -| project recommendationId = "lb-2", name, id, BackEndPools, BackendAddresses) +| project recommendationId = "lb-2", name, id, Param1=BackEndPools, Param2=0 +| union (resources + | where type =~ 'Microsoft.Network/loadBalancers' + | extend bep = properties.backendAddressPools + | extend BackEndPools = array_length(bep) + | mv-expand bip = properties.backendAddressPools + | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) + | where BackendAddresses <= 1 + | project recommendationId = "lb-2", name, id, Param1=BackEndPools, Param2=BackendAddresses) diff --git a/docs/content/services/networking/load-balancer/code/lb-2/lb-2.ps1 b/docs/content/services/networking/load-balancer/code/lb-2/lb-2.ps1 deleted file mode 100644 index d9007ae40..000000000 --- a/docs/content/services/networking/load-balancer/code/lb-2/lb-2.ps1 +++ /dev/null @@ -1 +0,0 @@ -Get-AzResource -ResourceType "Micrsoft.Example/changeMe" | Select-Object name, location, resourceGroup, properties diff --git a/docs/content/services/networking/load-balancer/code/lb-3/lb-3.azcli b/docs/content/services/networking/load-balancer/code/lb-3/lb-3.azcli deleted file mode 100644 index 53d6ce9b0..000000000 --- a/docs/content/services/networking/load-balancer/code/lb-3/lb-3.azcli +++ /dev/null @@ -1 +0,0 @@ -az resource list --resource-type "Micosoft.Example/changeMe" | jq . diff --git a/docs/content/services/networking/load-balancer/code/lb-3/lb-3.kql b/docs/content/services/networking/load-balancer/code/lb-3/lb-3.kql index be52e02c5..b7328908c 100644 --- a/docs/content/services/networking/load-balancer/code/lb-3/lb-3.kql +++ b/docs/content/services/networking/load-balancer/code/lb-3/lb-3.kql @@ -1,9 +1,6 @@ -Resources +// Azure Resource Graph Query +// Find all LoadBalancers with Outbound rules configured | where type =~ 'Microsoft.Network/loadBalancers' -| extend backendAddressPools = properties.backendAddressPools -| mv-expand backendAddressPool = backendAddressPools -| extend backendIPConfigurations = backendAddressPool.properties.backendIPConfigurations -| mv-expand backendIPConfiguration = backendIPConfigurations -| extend outboundRules = backendIPConfiguration.properties.outboundRules -| mv-expand outboundRule = outboundRules -| project LoadBalancerName = name, OutboundRuleName = outboundRule.name, OutboundRuleDescription = outboundRule.properties.description, OutboundRuleProtocol = outboundRule.properties.protocol, OutboundRuleSourceAddressPrefix = outboundRule.properties.sourceAddressPrefix, OutboundRuleSourcePortRange = outboundRule.properties.sourcePortRange, OutboundRuleDestinationAddressPrefix = outboundRule.properties.destinationAddressPrefix, OutboundRuleDestinationPortRange = outboundRule.properties.destinationPortRange +| extend outboundRules = array_length(properties.outboundRules) +| where outboundRules > 0 +| project recommendationId = "lb-3", name, id, Param1 = "outboundRules: >=1" diff --git a/docs/content/services/networking/load-balancer/code/lb-3/lb-3.ps1 b/docs/content/services/networking/load-balancer/code/lb-3/lb-3.ps1 deleted file mode 100644 index d9007ae40..000000000 --- a/docs/content/services/networking/load-balancer/code/lb-3/lb-3.ps1 +++ /dev/null @@ -1 +0,0 @@ -Get-AzResource -ResourceType "Micrsoft.Example/changeMe" | Select-Object name, location, resourceGroup, properties diff --git a/docs/content/services/networking/virtual-networks/code/vnet-1/vnet-1.kql b/docs/content/services/networking/virtual-networks/code/vnet-1/vnet-1.kql index 12956c3fc..b2f58d16f 100644 --- a/docs/content/services/networking/virtual-networks/code/vnet-1/vnet-1.kql +++ b/docs/content/services/networking/virtual-networks/code/vnet-1/vnet-1.kql @@ -1,7 +1,8 @@ +// Azure Resource Graph Query +// Find Subnets without NSG associated resources | where type =~ 'Microsoft.Network/virtualnetworks' -| join (resources - | where type =~ 'Microsoft.Network/virtualnetworks' - | project id, name, properties.subnets[0].name) on id -| project recommendationId = "vnet-1", name = tostring(properties.subnets[0].name), id, NSG = tostring(properties['subnets'][0]['properties']['networkSecurityGroup']['id']) -| where NSG == "" +| mv-expand subnets = properties.subnets +| extend sn = string_size(subnets.properties.networkSecurityGroup) +| where sn == 0 +| project recommendationId = "vnet-1", name, id, subnets.name, NSG="NSG: False" diff --git a/docs/content/services/networking/virtual-networks/code/vnet-2/vnet-2.kql b/docs/content/services/networking/virtual-networks/code/vnet-2/vnet-2.kql index 19d653e1b..170c19406 100644 --- a/docs/content/services/networking/virtual-networks/code/vnet-2/vnet-2.kql +++ b/docs/content/services/networking/virtual-networks/code/vnet-2/vnet-2.kql @@ -1,4 +1,6 @@ +// Azure Resource Graph Query +// Find Subnets without NSG associated resources | where type =~ 'Microsoft.Network/virtualNetworks' -| where tostring(properties.enableDdosProtection) contains "false" -| project recommendationId = "vnet-2", name, id, properties.enableDdosProtection +| where isnull(properties.enableDdosProtection) or properties.enableDdosProtection contains "false" +| project recommendationId = "vnet-2", name, id, DdosProtection=properties.enableDdosProtection diff --git a/docs/content/services/networking/virtual-networks/code/vnet-3/vnet-3.kql b/docs/content/services/networking/virtual-networks/code/vnet-3/vnet-3.kql index d90155b25..88efb3375 100644 --- a/docs/content/services/networking/virtual-networks/code/vnet-3/vnet-3.kql +++ b/docs/content/services/networking/virtual-networks/code/vnet-3/vnet-3.kql @@ -1,3 +1,8 @@ +// Azure Resource Graph Query +// Find Subnets with Service Endpoint enabled resources -| where type =~ 'Microsoft.Network/privateEndpoints' -| project recommendationId = "vnet-3", name, id, location +| where type =~ 'Microsoft.Network/virtualnetworks' +| mv-expand subnets = properties.subnets +| extend se = string_size(subnets.properties.serviceEndpoints) +| where se >= 1 +| project recommendationId = "vnet-3", name, id, subnets.name, Param1="ServiceEndpoints: true" From 03696de101698ca341953bd59668d674fdbc75a5 Mon Sep 17 00:00:00 2001 From: Rodrigo Santos Date: Mon, 18 Sep 2023 19:03:16 -0400 Subject: [PATCH 4/6] updates1 --- .../services/compute/virtual-machine-scale-sets/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/services/compute/virtual-machine-scale-sets/_index.md b/docs/content/services/compute/virtual-machine-scale-sets/_index.md index cb5d65b4d..ec3fa67a6 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/_index.md +++ b/docs/content/services/compute/virtual-machine-scale-sets/_index.md @@ -14,7 +14,7 @@ The presented resiliency recommendations in this guidance include Virtual Machin {{< table style="table-striped" >}} | Recommendation | Impact | State | ARG Query Available | | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----: | :-----: | :-----------------: | -| [VMSS-1 - Deploy VMSSs with Flex orchestration mode instead of Uniform](#vmss-1---deploy-vmss-with-flex-orchestration-mode-instead-of-uniform) | Medium | Preview | Yes | +| [VMSS-1 - Deploy VMSS with Flex orchestration mode instead of Uniform](#vmss-1---deploy-vmss-with-flex-orchestration-mode-instead-of-uniform) | Medium | Preview | Yes | | [VMSS-2 - Enable VMSS application health monitoring](#vmss-2---enable-vmss-application-health-monitoring) | Medium | Preview | No | | [VMSS-3 - Enable Automatic Repair policy](#vmss-3---enable-automatic-repair-policy) | High | Preview | No | | [VMSS-4 - Configure VMSS autoscale to custom and configure the scaling metrics](#vmss-4---configure-vmss-autoscale-to-custom-and-configure-the-scaling-metrics) | High | Preview | Yes | From 8d1da42f5046f86e6e8d2dc31881933f88dbbbf6 Mon Sep 17 00:00:00 2001 From: Rodrigo Santos Date: Tue, 19 Sep 2023 02:16:22 -0400 Subject: [PATCH 5/6] major-updates-sep-2023 --- docs/content/contributing/_index.md | 2 +- .../code/cr-1/cr-1.kql | 2 +- .../code/cr-2/cr-2.kql | 4 +- .../code/appgw-1/appgw-1.kql | 11 +- .../code/appgw-3/appgw-3.kql | 9 +- .../code/appgw-4/appgw-4.kql | 12 +- .../network-security-group/_index.md | 153 ++++++++++++ .../code/nsg-1/nsg-1.kql | 2 + .../code/nsg-2/nsg-2.kql | 2 + .../code/nsg-3/nsg-3.kql | 2 + .../code/nsg-4/nsg-4.kql | 6 + .../code/nsg-5/nsg-5.kql | 7 + .../networking/network-watcher/_index.md | 75 ++++++ .../network-watcher/code/nw-1/nw-1.kql | 9 + .../network-watcher/code/nw-2/nw-2.kql | 10 + .../networking/private-endpoints/_index.md | 50 ++++ .../private-endpoints/code/pep-1/pep-1.kql | 6 + .../services/security/key-vault/_index.md | 14 +- .../security/key-vault/code/kv-1/kv-1.kql | 4 +- .../security/key-vault/code/kv-2/kv-2.kql | 4 +- .../security/key-vault/code/kv-3/kv-3.kql | 4 +- .../security/key-vault/code/kv-4/kv-4.kql | 5 +- .../security/key-vault/code/kv-5/kv-5.kql | 3 +- .../storage/storage-Account/_index.md | 72 +++--- .../storage-Account/code/st-1/st-1.kql | 6 +- .../storage-Account/code/st-2/st-2.kql | 2 +- .../storage-Account/code/st-3/st-3.kql | 4 +- .../storage-Account/code/st-4/st-4.kql | 5 +- .../storage-Account/code/st-5/st-5.kql | 5 - .../storage-Account/code/st-5/st-5.ps1 | 6 + .../storage-Account/code/st-6/st-6.kql | 6 - .../storage-Account/code/st-6/st-6.ps1 | 16 ++ .../storage-Account/code/st-7/st-7.kql | 5 - .../storage-Account/code/st-7/st-7.ps1 | 16 ++ .../storage-Account/code/st-8/st-8.kql | 1 - .../storage-Account/code/st-8/st-8.ps1 | 16 ++ .../storage-Account/code/st-9/st-9.kql | 4 - .../well-architected/1-define/_index.md | 79 +++++++ .../1-define/code/cm-1/cm-1.azcli | 1 + .../1-define/code/cm-1/cm-1.kql | 6 + .../1-define/code/cm-1/cm-1.ps1 | 1 + .../1-define/code/cm-2/cm-2.azcli | 1 + .../1-define/code/cm-2/cm-2.kql | 6 + .../1-define/code/cm-2/cm-2.ps1 | 1 + .../well-architected/2-design/_index.md | 223 ++++++++++++++++++ .../2-design/code/cm-1/cm-1.azcli | 1 + .../2-design/code/cm-1/cm-1.kql | 6 + .../2-design/code/cm-1/cm-1.ps1 | 1 + .../2-design/code/cm-2/cm-2.azcli | 1 + .../2-design/code/cm-2/cm-2.kql | 6 + .../2-design/code/cm-2/cm-2.ps1 | 1 + .../content/well-architected/3-test/_index.md | 136 +++++++++++ .../3-test/code/cm-1/cm-1.azcli | 1 + .../3-test/code/cm-1/cm-1.kql | 6 + .../3-test/code/cm-1/cm-1.ps1 | 1 + .../3-test/code/cm-2/cm-2.azcli | 1 + .../3-test/code/cm-2/cm-2.kql | 6 + .../3-test/code/cm-2/cm-2.ps1 | 1 + .../well-architected/4-deploy/_index.md | 70 ++++++ .../4-deploy/code/cm-1/cm-1.azcli | 1 + .../4-deploy/code/cm-1/cm-1.kql | 6 + .../4-deploy/code/cm-1/cm-1.ps1 | 1 + .../4-deploy/code/cm-2/cm-2.azcli | 1 + .../4-deploy/code/cm-2/cm-2.kql | 6 + .../4-deploy/code/cm-2/cm-2.ps1 | 1 + .../well-architected/5-monitor/_index.md | 122 ++++++++++ .../5-monitor/code/cm-1/cm-1.azcli | 1 + .../5-monitor/code/cm-1/cm-1.kql | 6 + .../5-monitor/code/cm-1/cm-1.ps1 | 1 + .../5-monitor/code/cm-2/cm-2.azcli | 1 + .../5-monitor/code/cm-2/cm-2.kql | 6 + .../5-monitor/code/cm-2/cm-2.ps1 | 1 + .../well-architected/6-respond/_index.md | 56 +++++ .../6-respond/code/cm-1/cm-1.azcli | 1 + .../6-respond/code/cm-1/cm-1.kql | 6 + .../6-respond/code/cm-1/cm-1.ps1 | 1 + .../6-respond/code/cm-2/cm-2.azcli | 1 + .../6-respond/code/cm-2/cm-2.kql | 6 + .../6-respond/code/cm-2/cm-2.ps1 | 1 + docs/content/well-architected/_index.md | 21 ++ 80 files changed, 1264 insertions(+), 99 deletions(-) create mode 100644 docs/content/services/networking/network-security-group/_index.md create mode 100644 docs/content/services/networking/network-security-group/code/nsg-1/nsg-1.kql create mode 100644 docs/content/services/networking/network-security-group/code/nsg-2/nsg-2.kql create mode 100644 docs/content/services/networking/network-security-group/code/nsg-3/nsg-3.kql create mode 100644 docs/content/services/networking/network-security-group/code/nsg-4/nsg-4.kql create mode 100644 docs/content/services/networking/network-security-group/code/nsg-5/nsg-5.kql create mode 100644 docs/content/services/networking/network-watcher/_index.md create mode 100644 docs/content/services/networking/network-watcher/code/nw-1/nw-1.kql create mode 100644 docs/content/services/networking/network-watcher/code/nw-2/nw-2.kql create mode 100644 docs/content/services/networking/private-endpoints/_index.md create mode 100644 docs/content/services/networking/private-endpoints/code/pep-1/pep-1.kql delete mode 100644 docs/content/services/storage/storage-Account/code/st-5/st-5.kql create mode 100644 docs/content/services/storage/storage-Account/code/st-5/st-5.ps1 delete mode 100644 docs/content/services/storage/storage-Account/code/st-6/st-6.kql create mode 100644 docs/content/services/storage/storage-Account/code/st-6/st-6.ps1 delete mode 100644 docs/content/services/storage/storage-Account/code/st-7/st-7.kql create mode 100644 docs/content/services/storage/storage-Account/code/st-7/st-7.ps1 delete mode 100644 docs/content/services/storage/storage-Account/code/st-8/st-8.kql create mode 100644 docs/content/services/storage/storage-Account/code/st-8/st-8.ps1 delete mode 100644 docs/content/services/storage/storage-Account/code/st-9/st-9.kql create mode 100644 docs/content/well-architected/1-define/_index.md create mode 100644 docs/content/well-architected/1-define/code/cm-1/cm-1.azcli create mode 100644 docs/content/well-architected/1-define/code/cm-1/cm-1.kql create mode 100644 docs/content/well-architected/1-define/code/cm-1/cm-1.ps1 create mode 100644 docs/content/well-architected/1-define/code/cm-2/cm-2.azcli create mode 100644 docs/content/well-architected/1-define/code/cm-2/cm-2.kql create mode 100644 docs/content/well-architected/1-define/code/cm-2/cm-2.ps1 create mode 100644 docs/content/well-architected/2-design/_index.md create mode 100644 docs/content/well-architected/2-design/code/cm-1/cm-1.azcli create mode 100644 docs/content/well-architected/2-design/code/cm-1/cm-1.kql create mode 100644 docs/content/well-architected/2-design/code/cm-1/cm-1.ps1 create mode 100644 docs/content/well-architected/2-design/code/cm-2/cm-2.azcli create mode 100644 docs/content/well-architected/2-design/code/cm-2/cm-2.kql create mode 100644 docs/content/well-architected/2-design/code/cm-2/cm-2.ps1 create mode 100644 docs/content/well-architected/3-test/_index.md create mode 100644 docs/content/well-architected/3-test/code/cm-1/cm-1.azcli create mode 100644 docs/content/well-architected/3-test/code/cm-1/cm-1.kql create mode 100644 docs/content/well-architected/3-test/code/cm-1/cm-1.ps1 create mode 100644 docs/content/well-architected/3-test/code/cm-2/cm-2.azcli create mode 100644 docs/content/well-architected/3-test/code/cm-2/cm-2.kql create mode 100644 docs/content/well-architected/3-test/code/cm-2/cm-2.ps1 create mode 100644 docs/content/well-architected/4-deploy/_index.md create mode 100644 docs/content/well-architected/4-deploy/code/cm-1/cm-1.azcli create mode 100644 docs/content/well-architected/4-deploy/code/cm-1/cm-1.kql create mode 100644 docs/content/well-architected/4-deploy/code/cm-1/cm-1.ps1 create mode 100644 docs/content/well-architected/4-deploy/code/cm-2/cm-2.azcli create mode 100644 docs/content/well-architected/4-deploy/code/cm-2/cm-2.kql create mode 100644 docs/content/well-architected/4-deploy/code/cm-2/cm-2.ps1 create mode 100644 docs/content/well-architected/5-monitor/_index.md create mode 100644 docs/content/well-architected/5-monitor/code/cm-1/cm-1.azcli create mode 100644 docs/content/well-architected/5-monitor/code/cm-1/cm-1.kql create mode 100644 docs/content/well-architected/5-monitor/code/cm-1/cm-1.ps1 create mode 100644 docs/content/well-architected/5-monitor/code/cm-2/cm-2.azcli create mode 100644 docs/content/well-architected/5-monitor/code/cm-2/cm-2.kql create mode 100644 docs/content/well-architected/5-monitor/code/cm-2/cm-2.ps1 create mode 100644 docs/content/well-architected/6-respond/_index.md create mode 100644 docs/content/well-architected/6-respond/code/cm-1/cm-1.azcli create mode 100644 docs/content/well-architected/6-respond/code/cm-1/cm-1.kql create mode 100644 docs/content/well-architected/6-respond/code/cm-1/cm-1.ps1 create mode 100644 docs/content/well-architected/6-respond/code/cm-2/cm-2.azcli create mode 100644 docs/content/well-architected/6-respond/code/cm-2/cm-2.kql create mode 100644 docs/content/well-architected/6-respond/code/cm-2/cm-2.ps1 create mode 100644 docs/content/well-architected/_index.md diff --git a/docs/content/contributing/_index.md b/docs/content/contributing/_index.md index dc3f4e528..cab1911fb 100644 --- a/docs/content/contributing/_index.md +++ b/docs/content/contributing/_index.md @@ -1,7 +1,7 @@ +++ title = "Contributing" description = "Contribution Guide for the Azure Proactive Resiliency Library (APRL)" -weight = 2 +weight = 3 +++ {{< panel title="Contributions Notice" style="warning" >}} Currently we can only accept contributions from Microsoft FTEs. In the future we will look to change this. {{< /panel >}} diff --git a/docs/content/services/container/azure-container-registry/code/cr-1/cr-1.kql b/docs/content/services/container/azure-container-registry/code/cr-1/cr-1.kql index 24a46e79f..e49b69449 100644 --- a/docs/content/services/container/azure-container-registry/code/cr-1/cr-1.kql +++ b/docs/content/services/container/azure-container-registry/code/cr-1/cr-1.kql @@ -3,5 +3,5 @@ resources | where type =~ "microsoft.containerregistry/registries" | where sku.name != "Premium" -| project recommendationId = "cr-1", name, id +| project recommendationId = "cr-1", name, id, param1=strcat("SkuName: ", tostring(sku.name)) | order by id asc diff --git a/docs/content/services/container/azure-container-registry/code/cr-2/cr-2.kql b/docs/content/services/container/azure-container-registry/code/cr-2/cr-2.kql index 1fcc6a0b0..c93ffa3ec 100644 --- a/docs/content/services/container/azure-container-registry/code/cr-2/cr-2.kql +++ b/docs/content/services/container/azure-container-registry/code/cr-2/cr-2.kql @@ -2,6 +2,6 @@ // Find all Container Registries that do not have zone redundancy enabled resources | where type =~ "microsoft.containerregistry/registries" -| where properties.zoneRedundancy == "Disabled" -| project recommendationId = "cr-2", name, id +| where sku.name != "Premium" or properties.zoneRedundancy != "Enabled" +| project recommendationId = "cr-2", name, id, param1=strcat("zoneRedundancy: ", tostring(properties.zoneRedundancy)) | order by id asc diff --git a/docs/content/services/networking/Application Gateway/code/appgw-1/appgw-1.kql b/docs/content/services/networking/Application Gateway/code/appgw-1/appgw-1.kql index 4df5cf025..e19ce7336 100644 --- a/docs/content/services/networking/Application Gateway/code/appgw-1/appgw-1.kql +++ b/docs/content/services/networking/Application Gateway/code/appgw-1/appgw-1.kql @@ -1,4 +1,7 @@ -Resources -| where type == "microsoft.network/applicationGateways" -| where properties.capacity.autoScaleConfiguration != null -| where properties.capacity.autoScaleConfiguration.minCapacity >= 2 +// Azure Resource Graph Query +// This query will return all Application Gateways that do not have autoscale enabled or have a min capacity of 1 +resources +| where type =~ "microsoft.network/applicationGateways" +| where isnull(properties.capacity.autoScaleConfiguration) or properties.capacity.autoScaleConfiguration.minCapacity <= 1 +| project recommendationId = "appgw-1", name, id, param1 = "autoScaleConfiguration: isNull or MinCapacity <= 1" +| order by id asc diff --git a/docs/content/services/networking/Application Gateway/code/appgw-3/appgw-3.kql b/docs/content/services/networking/Application Gateway/code/appgw-3/appgw-3.kql index cf839a1ba..bb78140a3 100644 --- a/docs/content/services/networking/Application Gateway/code/appgw-3/appgw-3.kql +++ b/docs/content/services/networking/Application Gateway/code/appgw-3/appgw-3.kql @@ -1,4 +1,7 @@ +// Azure Resource Graph Query +// This query will return all Application Gateways that do not have WAF enabled Resources -| where type == "microsoft.network/applicationGateways" -| where properties.webApplicationFirewallConfiguration != null -| project name, waf_enabled = tobool(properties.webApplicationFirewallConfiguration.enabled) +| where type =~ "microsoft.network/applicationGateways" +| where isnull(properties.webApplicationFirewallConfiguration) +| project recommendationId = "appgw-3", name, id, param1 = "webApplicationFirewallConfiguration: isNull" +| order by id asc diff --git a/docs/content/services/networking/Application Gateway/code/appgw-4/appgw-4.kql b/docs/content/services/networking/Application Gateway/code/appgw-4/appgw-4.kql index c96460c39..7f15898e3 100644 --- a/docs/content/services/networking/Application Gateway/code/appgw-4/appgw-4.kql +++ b/docs/content/services/networking/Application Gateway/code/appgw-4/appgw-4.kql @@ -1,6 +1,8 @@ -Resources -| where type == "microsoft.network/applicationGateways" +// Azure Resource Graph Query +// This query will return all Application Gateways in your Azure environment and will identify if they are v1 or v2 +resources +| where type =~ "microsoft.network/applicationGateways" | extend sku = tolower(tostring(properties.sku.name)) -| extend is_v2 = iif(startswith(sku, "standard_v2"), true, false) -| extend is_v1 = iif(startswith(sku, "standard"), not(is_v2), false) -| project name, is_v1, is_v2 +| where sku != "waf_v2" and sku != "standard_v2" +| project recommendationId = "appgw-4", name, id, param1 = "sku: v1" +| order by id asc diff --git a/docs/content/services/networking/network-security-group/_index.md b/docs/content/services/networking/network-security-group/_index.md new file mode 100644 index 000000000..27a870ec0 --- /dev/null +++ b/docs/content/services/networking/network-security-group/_index.md @@ -0,0 +1,153 @@ ++++ +title = "Network Security Group" +description = "Best practices and resiliency recommendations for Network Security Group and associated resources and settings." +date = "9/19/23" +author = "rodrigosantosms" +msAuthor = "rodrigosantosms" +draft = false ++++ + +The presented resiliency recommendations in this guidance include Network Security Group and associated resources and settings. + +## Summary of Recommendations + +{{< table style="table-striped" >}} +| Recommendation | Category | Impact | State | ARG Query Available | +| :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------: | :------: | :------: | :-----------------: | +| [NSG-1 - Configure Diagnostic Settings for all Azure Resources](#nsg-1---configure-diagnostic-settings-for-all-azure-resources) | Monitoring | Medium | Preview | No | +| [NSG-2 - Monitor changes in Network Security Groups with Azure Monitor](#nsg-2---monitor-changes-in-network-security-groups-with-azure-monitor) | Monitoring | Low | Preview | No | +| [NSG-3 - Monitor changes in Network Security Groups with Azure Monitor](#nsg-3---configure-locks-for-network-security-groups-to-avoid-accidental-changes-andor-deletion) | Governance | Low | Preview | No | +| [NSG-4 - Monitor changes in Network Security Groups with Azure Monitor](#nsg-4---configure-nsg-flow-logs) | Monitoring | Medium | Preview | Yes | +| [NSG-5 - Monitor changes in Network Security Groups with Azure Monitor](#nsg-5---the-nsg-only-has-default-security-rules-make-sure-to-configure-the-necessary-rules) | Access & Security | Medium | Preview | Yes | +{{< /table >}} + +{{< alert style="info" >}} + +Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}}) + +{{< /alert >}} + +## Recommendations Details + +### NSG-1 - Configure Diagnostic Settings for all Azure Resources + +**Category: Monitoring** + +**Impact: Medium** + +**Recommendation/Guidance** + +Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations. + +**Resources** + +- [Diagnostic settings in Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/nsg-1/nsg-1.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### NSG-2 - Monitor changes in Network Security Groups with Azure Monitor + +**Category: Monitoring** + +**Impact: Low** + +**Recommendation/Guidance** + +Create Alerts for administrative operations such as Create or Update Network Security Group rules with Azure Monitor to detect unauthorized/undesired changes to production resources, this alert can help identify undesired changes in the default security, such as attempts to by-pass firewalls or from accessing resources externally. + +**Resources** + +- [Azure Monitor activity log](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log?tabs=powershell) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/nsg-2/nsg-2.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### NSG-3 - Configure locks for Network Security Groups to avoid accidental changes and/or deletion + +**Category: ** + +**Impact: Medium** + +**Recommendation/Guidance** + +As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions. +You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only. + +**Resources** + +- [Lock your resources to protect your infrastructure](https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?toc=%2Fazure%2Fvirtual-network%2Ftoc.json&tabs=json) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/nsg-3/nsg-3.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### NSG-4 - Configure NSG Flow Logs + +**Category: Monitoring** + +**Impact: Medium** + +**Recommendation/Guidance** + +It's vital to monitor, manage, and know your own network so that you can protect and optimize it. You need to know the current state of the network, who's connecting, and where users are connecting from. You also need to know which ports are open to the internet, what network behavior is expected, what network behavior is irregular, and when sudden rises in traffic happen. + +Flow logs are the source of truth for all network activity in your cloud environment. Whether you're in a startup that's trying to optimize resources or a large enterprise that's trying to detect intrusion, flow logs can help. You can use them for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions, and more. + +**Resources** + +- [Flow logging for network security groups](https://learn.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-overview) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/nsg-4/nsg-4.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### NSG-5 - The NSG only has Default Security Rules, make sure to configure the necessary rules + +**Category: Access & Security** + +**Impact: Medium** + +**Recommendation/Guidance** + +You can use an Azure network security group to filter network traffic between Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol. + +**Resources** + +- [Security rules](https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview#security-rules) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/nsg-5/nsg-5.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

diff --git a/docs/content/services/networking/network-security-group/code/nsg-1/nsg-1.kql b/docs/content/services/networking/network-security-group/code/nsg-1/nsg-1.kql new file mode 100644 index 000000000..5e039f9a0 --- /dev/null +++ b/docs/content/services/networking/network-security-group/code/nsg-1/nsg-1.kql @@ -0,0 +1,2 @@ +// Azure Resource Graph Query +// Under development diff --git a/docs/content/services/networking/network-security-group/code/nsg-2/nsg-2.kql b/docs/content/services/networking/network-security-group/code/nsg-2/nsg-2.kql new file mode 100644 index 000000000..5e039f9a0 --- /dev/null +++ b/docs/content/services/networking/network-security-group/code/nsg-2/nsg-2.kql @@ -0,0 +1,2 @@ +// Azure Resource Graph Query +// Under development diff --git a/docs/content/services/networking/network-security-group/code/nsg-3/nsg-3.kql b/docs/content/services/networking/network-security-group/code/nsg-3/nsg-3.kql new file mode 100644 index 000000000..5e039f9a0 --- /dev/null +++ b/docs/content/services/networking/network-security-group/code/nsg-3/nsg-3.kql @@ -0,0 +1,2 @@ +// Azure Resource Graph Query +// Under development diff --git a/docs/content/services/networking/network-security-group/code/nsg-4/nsg-4.kql b/docs/content/services/networking/network-security-group/code/nsg-4/nsg-4.kql new file mode 100644 index 000000000..fa30e7174 --- /dev/null +++ b/docs/content/services/networking/network-security-group/code/nsg-4/nsg-4.kql @@ -0,0 +1,6 @@ +// Azure Resource Graph Query +// This query will return all NSGs that do not have flow logs enabled +resources +| where type =~ "microsoft.network/networksecuritygroups" +| where isnull(properties.flowLogs) +| project recommendationId = "nsg-4", name, id, param1 = "NSG Flow Logs Disabled" diff --git a/docs/content/services/networking/network-security-group/code/nsg-5/nsg-5.kql b/docs/content/services/networking/network-security-group/code/nsg-5/nsg-5.kql new file mode 100644 index 000000000..0f9d4a3e6 --- /dev/null +++ b/docs/content/services/networking/network-security-group/code/nsg-5/nsg-5.kql @@ -0,0 +1,7 @@ +// Azure Resource Graph Query +// This query will return all NSGs that have NO security rules +resources +| where type =~ "microsoft.network/networksecuritygroups" +| extend sr = string_size(properties.securityRules) +| where sr <=2 or isnull(properties.securityRules) +| project recommendationId = "nsg-5", name, id diff --git a/docs/content/services/networking/network-watcher/_index.md b/docs/content/services/networking/network-watcher/_index.md new file mode 100644 index 000000000..70dfce9e9 --- /dev/null +++ b/docs/content/services/networking/network-watcher/_index.md @@ -0,0 +1,75 @@ ++++ +title = "Network Watcher" +description = "Best practices and resiliency recommendations for Network Watcher and associated resources and settings." +date = "9/19/23" +author = "rodrigosantosms" +msAuthor = "rodrigosantosmsS" +draft = false ++++ + +The presented resiliency recommendations in this guidance include Network Watcher and associated resources and settings. + +## Summary of Recommendations + +{{< table style="table-striped" >}} +| Recommendation | Category | Impact | State | ARG Query Available | +| :------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :------------: | :------: | :------: | :-----------------: | +| [NW-1 - Deploy Network Watcher in all regions where you have networking services](#nw-1---deploy-network-watcher-in-all-regions-where-you-have-networking-services) | Monitoring | Low | Preview | Yes | +| [NW-2 - Fix Flow Log configurations in Failed state or Disabled Status](#nw-2---fix-flow-log-configurations-in-failed-state-or-disabled-status) | Monitoring | Low | Preview | Yes | +{{< /table >}} + +{{< alert style="info" >}} + +Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}}) + +{{< /alert >}} + +## Recommendations Details + +### NW-1 - Deploy Network Watcher in all regions where you have networking services + +**Category: Monitoring** + +**Impact: Low** + +**Recommendation/Guidance** + +Azure Network Watcher provides a suite of tools to monitor, diagnose, view metrics, and enable or disable logs for Azure IaaS (Infrastructure-as-a-Service) resources. Network Watcher enables you to monitor and repair the network health of IaaS products like virtual machines (VMs), virtual networks (VNets), application gateways, load balancers, etc. Network Watcher isn't designed or intended for PaaS monitoring or Web analytics. + +**Resources** + +- [What is Azure Network Watcher?](https://learn.microsoft.com/azure/network-watcher/network-watcher-overview) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/nw-1/nw-1.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### NW-2 - Fix Flow Log configurations in Failed state or Disabled Status + +**Category: Monitoring** + +**Impact: Low** + +**Recommendation/Guidance** + +Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. If the flow log is in Failed state, the monitoring data from the associated resource is not being collected. + +**Resources** + +- [Manage NSG flow logs using the Azure portal](https://learn.microsoft.com/azure/network-watcher/nsg-flow-logging) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/nw-2/nw-2.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

diff --git a/docs/content/services/networking/network-watcher/code/nw-1/nw-1.kql b/docs/content/services/networking/network-watcher/code/nw-1/nw-1.kql new file mode 100644 index 000000000..8e9f12d87 --- /dev/null +++ b/docs/content/services/networking/network-watcher/code/nw-1/nw-1.kql @@ -0,0 +1,9 @@ +// Azure Resource Graph Query +// This query will return all locations that do not have a Network Watcher deployed +resources +| where location != "global" +| union (Resources + | where type =~ "microsoft.network/networkwatchers") +| summarize NetworkWatcherCount = countif(type =~ 'Microsoft.Network/networkWatchers') by location +| where NetworkWatcherCount == 0 +| project recommendationId = "nw-1", name=location, id="n/a", param1 = strcat("LocationMisingNetworkWatcher:", location) diff --git a/docs/content/services/networking/network-watcher/code/nw-2/nw-2.kql b/docs/content/services/networking/network-watcher/code/nw-2/nw-2.kql new file mode 100644 index 000000000..0cbbf0556 --- /dev/null +++ b/docs/content/services/networking/network-watcher/code/nw-2/nw-2.kql @@ -0,0 +1,10 @@ +// Azure Resource Graph Query +// This query will return all Network Watcher Flow Logs that are not enabled or in a succeeded state +resources +| where type =~ "microsoft.network/networkwatchers/flowlogs" and isnotnull(properties) +| extend targetResourceId = tostring(properties.targetResourceId) +| extend status = iff(properties.enabled =~ 'true', "Enabled", "Disabled") +| extend provisioningState = tostring(properties.provisioningState) +| extend flowLogType = iff(properties.targetResourceId contains "Microsoft.Network/virtualNetworks", 'Virtual network', 'Network security group') +| where provisioningState != "Succeeded" or status != "Enabled" +| project recommendationId = "nw-2", name, id, param1 = strcat("provisioningState:", provisioningState), param2=strcat("Status:", status), param3=strcat("targetResourceId:",targetResourceId), param4=strcat("flowLogType:",flowLogType) diff --git a/docs/content/services/networking/private-endpoints/_index.md b/docs/content/services/networking/private-endpoints/_index.md new file mode 100644 index 000000000..75da2776a --- /dev/null +++ b/docs/content/services/networking/private-endpoints/_index.md @@ -0,0 +1,50 @@ ++++ +title = "Private Endpoints" +description = "Best practices and resiliency recommendations for Private Endpoints and associated resources and settings." +date = "9/19/23" +author = "CHANGE ME TO YOUR GITHUB USERNAME" +msAuthor = "CHANGE ME TO YOUR MICROSOFT ALIAS" +draft = false ++++ + +The presented resiliency recommendations in this guidance include Private Endpoints and associated resources and settings. + +## Summary of Recommendations + +{{< table style="table-striped" >}} +| Recommendation | Category | Impact | State | ARG Query Available | +| :------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :-------------: | :------: | :------: | :-----------------: | +| [PEP-1 - Resolve issues with Private Endpoints in non Succeeded connection state](#pep-1---resolve-issues-with-private-endpoints-in-non-succeeded-connection-state) | Networking | Medium | Preview | Yes | +{{< /table >}} + +{{< alert style="info" >}} + +Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}}) + +{{< /alert >}} + +## Recommendations Details + +### PEP-1 - Resolve issues with Private Endpoints in non Succeeded connection state + +**Category: Networking** + +**Impact: Medium** + +**Recommendation/Guidance** + +A private endpoint has two custom properties, static IP address and the network interface name. These properties must be set when the private endpoint is created. I the state is not in Succeeded state, there might be a problem with the private endpoint or with the associated resource. + +**Resources** + +- [Private endpoint connections](https://learn.microsoft.com/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell#private-endpoint-connections) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/pep-1/pep-1.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

diff --git a/docs/content/services/networking/private-endpoints/code/pep-1/pep-1.kql b/docs/content/services/networking/private-endpoints/code/pep-1/pep-1.kql new file mode 100644 index 000000000..b42b79e7a --- /dev/null +++ b/docs/content/services/networking/private-endpoints/code/pep-1/pep-1.kql @@ -0,0 +1,6 @@ +// Azure Resource Graph Query +// This query will return all Private Endpoints that are not in a Succeeded state +resources +| where type =~ "microsoft.network/privateendpoints" +| where properties.provisioningState != "Succeeded" or properties.privateLinkServiceConnections[0].properties.provisioningState != "Succeeded" +| project recommendationId = "pep-1", name, id, param1 = strcat("provisioningState: ", tostring(properties.provisioningState)), param2 = strcat("provisioningState: ", tostring(properties.privateLinkServiceConnections[0].properties.provisioningState)) diff --git a/docs/content/services/security/key-vault/_index.md b/docs/content/services/security/key-vault/_index.md index 8faee1807..a49adf3a3 100644 --- a/docs/content/services/security/key-vault/_index.md +++ b/docs/content/services/security/key-vault/_index.md @@ -17,8 +17,8 @@ The presented resiliency recommendations in this guidance include Key Vault and | [KV-1 - Key vaults should have soft delete enabled](#kv-1---key-vaults-should-have-soft-delete-enabled) | High | Preview | Yes | | [KV-2 - Key vaults should have purge protection enabled](#kv-2---key-vaults-should-have-purge-protection-enabled) | High | Preview | Yes | | [KV-3 - Enable Azure Private Link Service for Key vault](#kv-3---enable-azure-private-link-service-for-key-vault) | High | Preview | Yes | -| [KV-4 - Use separate key vaults per application per environment](#kv-4---use-separate-key-vaults-per-application-per-environment) | High | Preview | Yes | -| [KV-5 - Diagnostic logs in Key Vault should be enabled](#kv-5---diagnostic-logs-in-key-vault-should-be-enabled) | Low | Preview | Yes | +| [KV-4 - Use separate key vaults per application per environment](#kv-4---use-separate-key-vaults-per-application-per-environment) | High | Preview | No | +| [KV-5 - Diagnostic logs in Key Vault should be enabled](#kv-5---diagnostic-logs-in-key-vault-should-be-enabled) | Low | Preview | no | {{< /table >}} {{< alert style="info" >}} @@ -31,6 +31,8 @@ Definitions of states can be found [here]({{< ref "../../../_index.md#definition ### KV-1 - Key vaults should have soft delete enabled +**Category: Disaster Recovery** + **Impact: High** **Recommendation/Guidance** @@ -53,6 +55,8 @@ Key Vault's soft-delete feature allows recovery of the deleted vaults and delete ### KV-2 - Key vaults should have purge protection enabled +**Category: Disaster Recovery** + **Impact: High** **Recommendation/Guidance** @@ -75,6 +79,8 @@ Malicious deletion of a key vault can lead to permanent data loss. A malicious i ### KV-3 - Enable Azure Private Link Service for Key vault +**Category: Networking** + **Impact: High** **Recommendation/Guidance** @@ -97,6 +103,8 @@ Azure Private Link Service enables you to access Azure Key Vault and Azure hoste ### KV-4 - Use separate key vaults per application per environment +**Category: Governance** + **Impact: High** **Recommendation/Guidance** @@ -119,6 +127,8 @@ Key vaults define security boundaries for stored secrets. Grouping secrets into ### KV-5 - Diagnostic logs in Key Vault should be enabled +**Category: Monitoring** + **Impact: Low** **Recommendation/Guidance** diff --git a/docs/content/services/security/key-vault/code/kv-1/kv-1.kql b/docs/content/services/security/key-vault/code/kv-1/kv-1.kql index f4a5a48e8..72331a722 100644 --- a/docs/content/services/security/key-vault/code/kv-1/kv-1.kql +++ b/docs/content/services/security/key-vault/code/kv-1/kv-1.kql @@ -2,5 +2,5 @@ // This Resource Graph query will return all Key Vaults that do not have soft delete enabled. resources | where type == "microsoft.keyvault/vaults" -| where tostring(properties['enableSoftDelete']) !contains "true" -| project recommendationId = "kv-1", name, id, location, resourceGroup, subscriptionId, softDeleteEnabled = tostring(properties['enableSoftDelete']) +| where isnull(properties.enableSoftDelete) or properties.enableSoftDelete != "true" +| project recommendationId = "kv-1", name, id, softDeleteEnabled = "disabled" diff --git a/docs/content/services/security/key-vault/code/kv-2/kv-2.kql b/docs/content/services/security/key-vault/code/kv-2/kv-2.kql index 190bc3b2f..58324bdbe 100644 --- a/docs/content/services/security/key-vault/code/kv-2/kv-2.kql +++ b/docs/content/services/security/key-vault/code/kv-2/kv-2.kql @@ -2,5 +2,5 @@ // This resource graph query will return all Key Vaults that do not have Purge Protection enabled. resources | where type == "microsoft.keyvault/vaults" -| where tostring(properties['enablePurgeProtection']) !contains "true" -| project recommendationId = "kv-2", name, id, location, resourceGroup, subscriptionId, enablePurgeProtection = tostring(properties['enablePurgeProtection']) +| where isnull(properties.enablePurgeProtection) or properties.enablePurgeProtection != "true" +| project recommendationId = "kv-2", name, id, enablePurgeProtection = "disabled" diff --git a/docs/content/services/security/key-vault/code/kv-3/kv-3.kql b/docs/content/services/security/key-vault/code/kv-3/kv-3.kql index ea2f867d9..102ee2a0b 100644 --- a/docs/content/services/security/key-vault/code/kv-3/kv-3.kql +++ b/docs/content/services/security/key-vault/code/kv-3/kv-3.kql @@ -2,5 +2,5 @@ // This resource graph query will return all Key Vaults that does not have a Private Endpoint Connection. resources | where type == "microsoft.keyvault/vaults" -| where tostring(properties['privateEndpointConnections'][0]['properties']['provisioningState']) !in ("Succeeded", "Ready", "Pending", "Failed") -| project recommendationId = "kv-3", name, id, location, resourceGroup, subscriptionId, PrivatelinkEndpoint = tostring(properties['privateEndpointConnections'][0]['properties']['provisioningState']) +| where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ("Succeeded") +| project recommendationId = "kv-3", name, id, PrivatelinkEndpoint = "No Private Endpoint" diff --git a/docs/content/services/security/key-vault/code/kv-4/kv-4.kql b/docs/content/services/security/key-vault/code/kv-4/kv-4.kql index 054a68cc4..2480a1ac3 100644 --- a/docs/content/services/security/key-vault/code/kv-4/kv-4.kql +++ b/docs/content/services/security/key-vault/code/kv-4/kv-4.kql @@ -1,5 +1,2 @@ // Azure Resource Graph Query -// This resource graph query will return all Key Vaults in your Azure environment, if there are multiple application then we should have multiple Key Vaults. -resources -| where type == "microsoft.keyvault/vaults" -| project recommendationId = "kv-4", name, id, location, resourceGroup, subscriptionId +// under development diff --git a/docs/content/services/security/key-vault/code/kv-5/kv-5.kql b/docs/content/services/security/key-vault/code/kv-5/kv-5.kql index 35bd5a136..2480a1ac3 100644 --- a/docs/content/services/security/key-vault/code/kv-5/kv-5.kql +++ b/docs/content/services/security/key-vault/code/kv-5/kv-5.kql @@ -1 +1,2 @@ -// Not available. The validation for this recommendation cannot be achieved with an Azure Resource Graph query. +// Azure Resource Graph Query +// under development diff --git a/docs/content/services/storage/storage-Account/_index.md b/docs/content/services/storage/storage-Account/_index.md index a794ac424..b9cf7fefc 100644 --- a/docs/content/services/storage/storage-Account/_index.md +++ b/docs/content/services/storage/storage-Account/_index.md @@ -14,17 +14,16 @@ The presented resiliency recommendations in this guidance include Storage Accoun The below table shows the list of resiliency recommendations for Storage Account and associated resources. {{< table style="table-striped" >}} -| Recommendation | Impact | State | ARG Query Available | +| Recommendation | Impact | State | ARG/Script Available| | :---------------------------------------------------------------------------------------------------------------------------------------------------- | :-----: | :-----: | :-----------------: | |[ST-1 - Ensure that storage account is redundant](#st-1---ensure-that-storage-account-is-redundant) | High | Preview | Yes | |[ST-2 - Do not use classic storage account](#st-2---do-not-use-classic-storage-account) | High | Preview | Yes | -|[ST-3 - Ensure Performance tier is set as per workload](#st-3---ensure-performance-tier-is-set-as-per-workload) | Medium | Preview | No | +|[ST-3 - Ensure Performance tier is set as per workload](#st-3---ensure-performance-tier-is-set-as-per-workload) | Medium | Preview | Yes | |[ST-4 - Choose right storage account kind for workload](#st-4---choose-right-storage-account-kind-for-workload) | Medium | Preview | No | -|[ST-5 - Enable soft delete for recovery of data](#st-5---enable-soft-delete-for-recovery-of-data) | Medium | Preview | No | -|[ST-6 - Enable version for accidental modification](#st-6---enable-version-for-accidental-modification) | Medium | Preview | No | -|[ST-7 - Enable point and time restore for containers for recovery](#st-7---enable-point-and-time-restore-for-containers-for-recovery) | Low | Preview | No | -|[ST-8 - Keep fewer than 1000 versions per blob](#st-8---keep-fewer-than-1000-versions-per-blob) | Low | Preview | No | -|[ST-9 - Configure Diagnostic Settings for all Azure Resources](#st-9---configure-diagnostic-settings-for-all-azure-resources) | Low | Preview | No | +|[ST-5 - Enable soft delete for recovery of data](#st-5---enable-soft-delete-for-recovery-of-data) | Medium | Preview | Yes | +|[ST-6 - Enable version for accidental modification and keep the number of versions below 1000](#st-6---enable-version-for-accidental-modification-and-keep-the-number-of-versions-below-1000) | Medium | Preview | Yes | +|[ST-7 - Enable point and time restore for containers for recovery](#st-7---enable-point-and-time-restore-for-containers-for-recovery) | Low | Preview | Yes | +|[ST-8 - Configure Diagnostic Settings for all Azure Resources](#st-8---configure-diagnostic-settings-for-all-azure-resources) | Low | Preview | Yes | {{< /table >}} @@ -38,6 +37,8 @@ Definitions of states can be found [here]({{< ref "../../../_index.md#definition ### ST-1 - Ensure that Storage Account is redundant +**Category: Availability** + **Impact: High** **Recommendation/Guidance** @@ -65,6 +66,8 @@ Data in an Azure Storage account is always replicated three times in the primary ### ST-2 - Do not use classic Storage Account +**Category: Governance** + **Impact: High** **Recommendation/Guidance** @@ -87,6 +90,8 @@ Azure classic Storage Account will retire 31 august 2024. So migrate all workloa ### ST-3 - Ensure Performance tier is set as per workload +**Category: System Efficiency** + **Impact: Medium** **Recommendation/Guidance** @@ -109,6 +114,8 @@ Consider using appropriate storage performance tier for standard storage / block ### ST-4 - Choose right storage account kind for workload +**Category: System Efficiency** + **Impact: Medium** **Recommendation/Guidance** @@ -131,6 +138,8 @@ Block blobs are optimized for uploading large amounts of data efficiently. Block ### ST-5 - Enable soft delete for recovery of data +**Category: Disaster Recovery** + **Impact: Medium** **Recommendation/Guidance** @@ -141,17 +150,19 @@ Soft delete option allow for recovering data if its deleted by mistaken. Moreove - [Soft delete detail docs](https://learn.microsoft.com//azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal ) -**Resource Graph Query/Scripts** +**Script** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="/code/st-5/st-5.kql" >}} {{< /code >}} +{{< code lang="sql" file="/code/st-5/st-5.ps1" >}} {{< /code >}} {{< /collapse >}}

-### ST-6 - Enable version for accidental modification +### ST-6 - Enable version for accidental modification and keep the number of versions below 1000 + +**Category: Disaster Recovery** **Impact: Medium** @@ -164,12 +175,11 @@ Having a large number of versions per blob can increase the latency for blob lis - [Blob versioning](https://learn.microsoft.com/azure/storage/blobs/versioning-overview ) - -**Resource Graph Query/Scripts** +**Script** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="/code/st-6/st-6.kql" >}} {{< /code >}} +{{< code lang="sql" file="/code/st-6/st-6.ps1" >}} {{< /code >}} {{< /collapse >}} @@ -177,6 +187,8 @@ Having a large number of versions per blob can increase the latency for blob lis ### ST-7 - Enable point and time restore for containers for recovery +**Category: Disaster Recovery** + **Impact: Low** **Recommendation/Guidance** @@ -188,56 +200,36 @@ Point and time restore support general purpose v2 account in standard performanc - [Restore overview](https://learn.microsoft.com/azure/storage/blobs/point-in-time-restore-manage?tabs=portal) -**Resource Graph Query/Scripts** +**Script** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="/code/st-7/st-7.kql" >}} {{< /code >}} +{{< code lang="sql" file="/code/st-7/st-7.ps1" >}} {{< /code >}} {{< /collapse >}}

-### ST-8 - Keep fewer than 1000 versions per blob - -**Impact: Low** - -**Recommendation/Guidance** - -Having a large number of versions per blob can increase the latency for blob listing operations. Microsoft recommends maintaining fewer than 1000 versions per blob. You can use lifecycle management to automatically delete old versions. - -**Resources** - -- [Blob Versioning](https://learn.microsoft.com/azure/storage/blobs/versioning-overview) - -**Resource Graph Query/Scripts** - -{{< collapse title="Show/Hide Query/Script" >}} +### ST-8 - Configure Diagnostic Settings for all Azure Resources -{{< code lang="sql" file="/code/st-8/st-8.kql" >}} {{< /code >}} - -{{< /collapse >}} - -

- -### ST-9 - Configure Diagnostic Settings for all Azure Resources +**Category: Monitoring** **Impact: Low** **Recommendation/Guidance** Enabling diagnostic settings allow you to capture and view diagnostic information so that you can troubleshoot any failures. + **Resources** - [Diagnostic Setting for Storage Account](https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage) -**Resource Graph Query/Scripts** +**Script** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="/code/st-9/st-9.kql" >}} {{< /code >}} +{{< code lang="sql" file="/code/st-8/st-8.ps1" >}} {{< /code >}} {{< /collapse >}}

- diff --git a/docs/content/services/storage/storage-Account/code/st-1/st-1.kql b/docs/content/services/storage/storage-Account/code/st-1/st-1.kql index f2e4efc0c..4219615bf 100644 --- a/docs/content/services/storage/storage-Account/code/st-1/st-1.kql +++ b/docs/content/services/storage/storage-Account/code/st-1/st-1.kql @@ -1,5 +1,5 @@ +// Azure Resource Graph Query +// This query will return all storage accounts that are not using at least Zone replication Resources | where type =~'microsoft.storage/storageaccounts' | where sku.name =~'Standard_LRS' or sku.name =~ 'Standard_ZRS' -| project recommendationId = 'st-1', name, id, redundancy=sku.name - - +| project recommendationId = 'st-1', name, id, param1=sku.name diff --git a/docs/content/services/storage/storage-Account/code/st-2/st-2.kql b/docs/content/services/storage/storage-Account/code/st-2/st-2.kql index 692ea31bd..27bf1b7c7 100644 --- a/docs/content/services/storage/storage-Account/code/st-2/st-2.kql +++ b/docs/content/services/storage/storage-Account/code/st-2/st-2.kql @@ -2,4 +2,4 @@ // Find all Azure classic Storage Account resources | where type =~ 'microsoft.classicstorage/storageaccounts' -| project recommendationId = 'st-2', name, id, type +| project recommendationId = 'st-2', name, id, param1=type diff --git a/docs/content/services/storage/storage-Account/code/st-3/st-3.kql b/docs/content/services/storage/storage-Account/code/st-3/st-3.kql index 102063f11..9c4aac273 100644 --- a/docs/content/services/storage/storage-Account/code/st-3/st-3.kql +++ b/docs/content/services/storage/storage-Account/code/st-3/st-3.kql @@ -1,6 +1,6 @@ // Azure Resource Graph Query // Find all Azure Storage Accounts, that do not have an access tier set -Resources +resources | where type =~'microsoft.storage/storageaccounts' | where isnull(properties.accessTier) -| project recommendationId = 'st-3', name, id, accessTier="not defined - GeneralPurpose V1" +| project recommendationId = 'st-3', name, id, param1="not defined - GeneralPurpose V1" diff --git a/docs/content/services/storage/storage-Account/code/st-4/st-4.kql b/docs/content/services/storage/storage-Account/code/st-4/st-4.kql index 32e0e5ecb..2480a1ac3 100644 --- a/docs/content/services/storage/storage-Account/code/st-4/st-4.kql +++ b/docs/content/services/storage/storage-Account/code/st-4/st-4.kql @@ -1,3 +1,2 @@ -Resources | where type =="microsoft.storage/storageaccounts" -| where kind == "Storage" -| project recommendationId = "st-4", name, id, StgKind = "Storage - general purpose v1" +// Azure Resource Graph Query +// under development diff --git a/docs/content/services/storage/storage-Account/code/st-5/st-5.kql b/docs/content/services/storage/storage-Account/code/st-5/st-5.kql deleted file mode 100644 index 3d3831c4e..000000000 --- a/docs/content/services/storage/storage-Account/code/st-5/st-5.kql +++ /dev/null @@ -1,5 +0,0 @@ -//Set variable values to approroriate storage account and resource group -$storageAccount = "StorageAccountName" -$resourceGroupName='ResourceGroupName' -Get-AzStorageFileServiceProperty -ResourceGroupName $resourceGroupName -AccountName $storageAccount | Select-Object ShareDeleteRetentionPolicy ` -| Format-Custom diff --git a/docs/content/services/storage/storage-Account/code/st-5/st-5.ps1 b/docs/content/services/storage/storage-Account/code/st-5/st-5.ps1 new file mode 100644 index 000000000..539a22ba1 --- /dev/null +++ b/docs/content/services/storage/storage-Account/code/st-5/st-5.ps1 @@ -0,0 +1,6 @@ +# Powershell +# Verifies the current ShareDeleteRetentionPolicy setting for a storage account +# Set variable values to approroriate storage account and resource group +$storageAccount = "StorageAccountName" +$resourceGroupName = "ResourceGroupName" +Get-AzStorageFileServiceProperty -ResourceGroupName $resourceGroupName -AccountName $storageAccount | Select-Object ShareDeleteRetentionPolicy | Format-Custom diff --git a/docs/content/services/storage/storage-Account/code/st-6/st-6.kql b/docs/content/services/storage/storage-Account/code/st-6/st-6.kql deleted file mode 100644 index ba33bad65..000000000 --- a/docs/content/services/storage/storage-Account/code/st-6/st-6.kql +++ /dev/null @@ -1,6 +0,0 @@ -//Set variable values to approroriate storage account and resource group -$storageAccount = "StorageAccountName" -$resourceGroupName='ResourceGroupName' -Get-AzStorageBlobServiceProperty ` - -ResourceGroupName $resourceGroupName -AccountName $storageAccount | Select-Object IsVersioningEnabled ` -| Format-Custom diff --git a/docs/content/services/storage/storage-Account/code/st-6/st-6.ps1 b/docs/content/services/storage/storage-Account/code/st-6/st-6.ps1 new file mode 100644 index 000000000..17f3b1d23 --- /dev/null +++ b/docs/content/services/storage/storage-Account/code/st-6/st-6.ps1 @@ -0,0 +1,16 @@ +# Powershell +# Verifies if versioning is enabled on a storage account +# Set the Subscription ID for the variable $subid +login-azaccount +$subid = "" +select-AzSubscription -Subscription $subid +$stgs = Get-AzStorageAccount +foreach ($st in $stgs){ + $ResourceGroupName = $st.ResourceGroupName + $StorageAccountNameName = $st.StorageAccountName + $IsVersioningEnabled = (Get-AzStorageBlobServiceProperty -ResourceGroupName $st.ResourceGroupName -AccountName $st.StorageAccountName).IsVersioningEnabled + if ($IsVersioningEnabled -eq $null){ + Write-Output "---------------------------------------------------------" + Write-Output ("st-6;" + $StorageAccountNameName + ";" + $st.id + ";IsVersioningEnabled: Null") + } +} diff --git a/docs/content/services/storage/storage-Account/code/st-7/st-7.kql b/docs/content/services/storage/storage-Account/code/st-7/st-7.kql deleted file mode 100644 index 05171667b..000000000 --- a/docs/content/services/storage/storage-Account/code/st-7/st-7.kql +++ /dev/null @@ -1,5 +0,0 @@ -//Set variable values to approroriate storage account and resource group -$storageAccount = "StorageAccountName" -$resourceGroupName='ResourceGroupName' -Get-AzStorageBlobServiceProperty -ResourceGroupName $resourceGroupName -StorageAccountName $storageAccount - diff --git a/docs/content/services/storage/storage-Account/code/st-7/st-7.ps1 b/docs/content/services/storage/storage-Account/code/st-7/st-7.ps1 new file mode 100644 index 000000000..d73fba4da --- /dev/null +++ b/docs/content/services/storage/storage-Account/code/st-7/st-7.ps1 @@ -0,0 +1,16 @@ +# Powershell +# Verifies if DeleteRetentionPolicy is enabled on a storage account +# Set the Subscription ID for the variable $subid +login-azaccount +$subid = "" +select-AzSubscription -Subscription $subid +$stgs = Get-AzStorageAccount +foreach ($st in $stgs){ + $ResourceGroupName = $st.ResourceGroupName + $StorageAccountNameName = $st.StorageAccountName + $DeleteRetentionPolicy = (Get-AzStorageBlobServiceProperty -ResourceGroupName $st.ResourceGroupName -StorageAccountName $st.StorageAccountName).DeleteRetentionPolicy.Enabled + if ($DeleteRetentionPolicy -eq $false -or $DeleteRetentionPolicy -eq $null){ + Write-Output "---------------------------------------------------------" + Write-Output ("st-7;" + $StorageAccountNameName + ";" + $st.id + ";DeleteRetentionPolicy: False") + } +} diff --git a/docs/content/services/storage/storage-Account/code/st-8/st-8.kql b/docs/content/services/storage/storage-Account/code/st-8/st-8.kql deleted file mode 100644 index 8b1378917..000000000 --- a/docs/content/services/storage/storage-Account/code/st-8/st-8.kql +++ /dev/null @@ -1 +0,0 @@ - diff --git a/docs/content/services/storage/storage-Account/code/st-8/st-8.ps1 b/docs/content/services/storage/storage-Account/code/st-8/st-8.ps1 new file mode 100644 index 000000000..c8f214023 --- /dev/null +++ b/docs/content/services/storage/storage-Account/code/st-8/st-8.ps1 @@ -0,0 +1,16 @@ +# Powershell +# Verifies if DiagnosticSettings is enabled on a storage account +# Set the Subscription ID for the variable $subid +login-azaccount +$subid = "" +select-AzSubscription -Subscription $subid +$stgs = Get-AzStorageAccount +foreach ($st in $stgs){ + $ResourceGroupName = $st.ResourceGroupName + $StorageAccountNameName = $st.StorageAccountName + $diag = (Get-AzDiagnosticSetting -ResourceId "/subscriptions/$subid/resourceGroups/$ResourceGroupName/providers/Microsoft.Storage/storageAccounts/$StorageAccountNameName").Id + if ($diag -eq $null){ + Write-Output "---------------------------------------------------------" + Write-Output ("st-9;" + $StorageAccountNameName + ";" + $st.id + ";DiagnosticSettings: Null") + } +} diff --git a/docs/content/services/storage/storage-Account/code/st-9/st-9.kql b/docs/content/services/storage/storage-Account/code/st-9/st-9.kql deleted file mode 100644 index f050da075..000000000 --- a/docs/content/services/storage/storage-Account/code/st-9/st-9.kql +++ /dev/null @@ -1,4 +0,0 @@ -$subscriptionId = (Get-AzContext).Subscription.Id -$ResourceGroupName="TypeRGName" -$StorageAccountName="TypeStorageAccountName" -Get-AzDiagnosticSetting -ResourceId /subscriptions/$subscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Storage/storageAccounts/$StorageAccountName | select -ExpandProperty Metrics diff --git a/docs/content/well-architected/1-define/_index.md b/docs/content/well-architected/1-define/_index.md new file mode 100644 index 000000000..cd72eba9a --- /dev/null +++ b/docs/content/well-architected/1-define/_index.md @@ -0,0 +1,79 @@ ++++ +title = "1 - Define" +description = "Microsoft Azure Well-Architected Framework best practices and recommendations for the Reliability Stage - 1 - Define" +date = "9/18/23" +weight = 1 +author = "rodrigosantosms" +msAuthor = "rodrigosantosms" +draft = false ++++ + +The presented Microsoft Azure Well-Architected Framework recommendations in this guidance include Reliability Stage "1 - Define (Requirements)" and associated resources and their settings. + +In this initial stage, the objectives and requirements for system reliability are established. This often involves specifying availability and recovery targets, latency tolerances, criticality classifications, and disaster recovery objectives. + +## Summary of Recommendations + +{{< table style="table-striped" >}} +| Recommendation | Category | Impact | State | ARG Query Available | +| :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-----------------: | :------: | :------: | :-----------------: | +| [WADF-1 - Ensure the Availability Targets are well defined and communicated across teams working on the Workload](#wadf-1---ensure-the-availability-targets-are-well-defined-and-communicated-across-teams-working-on-the-workload) | Availability | High | Verified | No | +| [WADF-2 - Ensure the Recovery Targets are well defined and communicated across teams working on the Workload](#wadf-2---ensure-the-recovery-targets-are-well-defined-and-communicated-across-teams-working-on-the-workload) | Disaster Recovery | High | Verified | No | +{{< /table >}} + +{{< alert style="info" >}} + +Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}}) + +{{< /alert >}} + +## Recommendations Details + +### WADF-1 - Ensure the Availability Targets are well defined and communicated across teams working on the Workload + +**Category: Availability** + +**Impact: High** + +**Recommendation/Guidance** + +Ensure the Availability Targets (SLA, SLO, SLI) are well defined, tested, monitored and communicated across teams working on the Workload. + +A Service Level Agreement (SLA) is an availability target that represents a commitment around performance and availability of the application. Understanding the SLA of individual components within the system is essential to define reliability targets. Knowing the SLA of dependencies will also provide a justification for additional spend when making the dependencies highly available and with proper support contracts. Availability targets for any dependencies leveraged by the application should be understood and ideally align with application targets should also be considered. + +Understanding your availability expectations is vital to reviewing overall operations for the application. + +For example, if you are striving to achieve an application Service Level Objective (SLO) of 99.999%, the level of inherent operational action required by the application is going to be far greater than if an SLO of 99.9% was the goal. + +**Resources** + +- [Use business metrics to design resilient Azure applications](https://learn.microsoft.com/azure/well-architected/resiliency/business-metrics#workload-availability-targets) +- [Target functional and nonfunctional requirements](https://learn.microsoft.com/azure/well-architected/resiliency/design-requirements) + +

+ +### WADF-2 - Ensure the Recovery Targets are well defined and communicated across teams working on the Workload + +**Category: Disaster Recovery** + +**Impact: High** + +**Recommendation/Guidance** + +Ensure the Recovery Targets are well defined and communicated across teams working on the Workload. +Two important metrics to consider are the recovery time objective and recovery point objective, as they pertain to disaster recovery. + +- Recovery time objective (RTO) is the maximum acceptable time that an application can be unavailable after an incident. If your RTO is 90 minutes, you must be able to restore the application to a running state within 90 minutes from the start of a disaster. If you have a very low RTO, you might keep a second regional deployment continually running an active/passive configuration on standby, to protect against a regional outage. In some cases, you might deploy an active/active configuration to achieve even lower RTO. +- Recovery point objective (RPO) is the maximum duration of data loss that is acceptable during a disaster. For example, if you store data in a single database, with no replication to other databases, and perform hourly backups, you could lose up to an hour of data. +RTO and RPO are non-functional requirements of a system and should be dictated by business requirements. To derive these values, it's a good idea to conduct a risk assessment, and clearly understanding the cost of downtime or data loss. + +Monitoring and measuring application availability is vital to qualifying overall application health and progress towards defined targets. Make sure you measure and monitor key targets such as: + +- Mean Time Between Failures (MTBF) — The average time between failures of a particular component. +- Mean Time to Recover (MTTR) — The average time it takes to restore a component after a failure. + +**Resources** + +- [Target functional and nonfunctional requirements](https://learn.microsoft.com/azure/well-architected/resiliency/design-requirements) + +

diff --git a/docs/content/well-architected/1-define/code/cm-1/cm-1.azcli b/docs/content/well-architected/1-define/code/cm-1/cm-1.azcli new file mode 100644 index 000000000..53d6ce9b0 --- /dev/null +++ b/docs/content/well-architected/1-define/code/cm-1/cm-1.azcli @@ -0,0 +1 @@ +az resource list --resource-type "Micosoft.Example/changeMe" | jq . diff --git a/docs/content/well-architected/1-define/code/cm-1/cm-1.kql b/docs/content/well-architected/1-define/code/cm-1/cm-1.kql new file mode 100644 index 000000000..8fa0b5a6f --- /dev/null +++ b/docs/content/well-architected/1-define/code/cm-1/cm-1.kql @@ -0,0 +1,6 @@ +// Azure Resource Graph Query +// Brief description of the intent of the query (focus on returning resources NOT following your recommendation, and usually name and ResourceId are enough for the report) +Resources +| where type =~ "Microsoft.Example/changeMe" +| project recommendationId = "cm-1", name, id +| order by id asc diff --git a/docs/content/well-architected/1-define/code/cm-1/cm-1.ps1 b/docs/content/well-architected/1-define/code/cm-1/cm-1.ps1 new file mode 100644 index 000000000..d9007ae40 --- /dev/null +++ b/docs/content/well-architected/1-define/code/cm-1/cm-1.ps1 @@ -0,0 +1 @@ +Get-AzResource -ResourceType "Micrsoft.Example/changeMe" | Select-Object name, location, resourceGroup, properties diff --git a/docs/content/well-architected/1-define/code/cm-2/cm-2.azcli b/docs/content/well-architected/1-define/code/cm-2/cm-2.azcli new file mode 100644 index 000000000..53d6ce9b0 --- /dev/null +++ b/docs/content/well-architected/1-define/code/cm-2/cm-2.azcli @@ -0,0 +1 @@ +az resource list --resource-type "Micosoft.Example/changeMe" | jq . diff --git a/docs/content/well-architected/1-define/code/cm-2/cm-2.kql b/docs/content/well-architected/1-define/code/cm-2/cm-2.kql new file mode 100644 index 000000000..c86d926a9 --- /dev/null +++ b/docs/content/well-architected/1-define/code/cm-2/cm-2.kql @@ -0,0 +1,6 @@ +// Azure Resource Graph Query +// Brief description of the intent of the query (focus on returning resources NOT following your recommendation, and usually name and ResourceId are enough for the report) +Resources +| where type =~ "Microsoft.Example/changeMe2" +| project recommendationId = "cm-2", name, id +| order by id asc diff --git a/docs/content/well-architected/1-define/code/cm-2/cm-2.ps1 b/docs/content/well-architected/1-define/code/cm-2/cm-2.ps1 new file mode 100644 index 000000000..d9007ae40 --- /dev/null +++ b/docs/content/well-architected/1-define/code/cm-2/cm-2.ps1 @@ -0,0 +1 @@ +Get-AzResource -ResourceType "Micrsoft.Example/changeMe" | Select-Object name, location, resourceGroup, properties diff --git a/docs/content/well-architected/2-design/_index.md b/docs/content/well-architected/2-design/_index.md new file mode 100644 index 000000000..9bcdb18ac --- /dev/null +++ b/docs/content/well-architected/2-design/_index.md @@ -0,0 +1,223 @@ ++++ +title = "2 - Design" +description = "Microsoft Azure Well-Architected Framework best practices and recommendations for the Reliability Stage - 2 - Design" +date = "9/18/23" +weight = 2 +author = "rodrigosantosms" +msAuthor = "rodrigosantosms" +draft = false ++++ + +The presented Microsoft Azure Well-Architected Framework recommendations in this guidance include Reliability Stage "2 - Design (Workload Design)" and associated resources and their settings. + +In this Stage, the architecture and design decisions are made to meet the requirements defined earlier. Best practices for resilient and scalable systems are implemented, often including redundancy, failover strategies, and load balancing. In this phase failure mode and point analysis are coordinated in order to identify and mitigate possible failures, and single points of failures. + +## Summary of Recommendations + +{{< table style="table-striped" >}} +| Recommendation | Category | Impact | State | ARG Query Available | +| :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :--------------: | :------: | :------: | :-----------------: | +| [WADS-1 - Consider deploying your application across multiple zones](#wads-1---consider-deploying-your-application-across-multiple-zones) | Availability | High | Verified | No | +| [WADS-2 - Consider deploying your application across multiple regions](#wads-2---consider-deploying-your-application-across-multiple-regions) | Disaster Recovery | High | Verified | No | +| [WADS-3 - Ensure that all fault-points and fault-modes are understood and operationalized](#wads-3---ensure-that-all-fault-points-and-fault-modes-are-understood-and-operationalized) | Availability | High | Verified | No | +| [WADS-4 - Use PaaS Azure services instead of IaaS](#wads-4---use-paas-azure-services-instead-of-iaas) | System Efficiency | Medium | Verified | No | +| [WADS-5 - Design the application to scale out](#wads-5---design-the-application-to-scale-out) | System Efficiency | High | Verified | No | +| [WADS-6 - Create a landing zone for the workload following the Microsoft Cloud Adoption Framework](#wads-6---create-a-landing-zone-for-the-workload-following-the-microsoft-cloud-adoption-framework) | Governance | Low | Verified | No | +| [WADS-7 - Design a BCDR strategy that will help to meet the business requirements](#wads-7---design-a-bcdr-strategy-that-will-help-to-meet-the-business-requirements) | Disaster Recovery | High | Verified | No | +| [WADS-8 - Provide security assurance through identity management](#wads-8---provide-security-assurance-through-identity-management) | Access & Security | Medium | Verified | No | +| [WADS-9 - Ensure you address security-related risks helps to minimize application downtime and data loss caused by unexpected security exposures](#wads-9---ensure-you-address-security-related-risks-helps-to-minimize-application-downtime-and-data-loss-caused-by-unexpected-security-exposures) | Access & Security | High | Verified | No | +{{< /table >}} + +{{< alert style="info" >}} + +Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}}) + +{{< /alert >}} + +## Recommendations Details + +### WADS-1 - Consider deploying your application across multiple zones + +**Category: Availability** + +**Impact: High** + +**Recommendation/Guidance** + +Design your application architecture to use availability zones within a region. Availability zones can be used to optimize application availability within a region by providing datacenter-level fault tolerance. However, the application architecture must not share dependencies between zones to use them effectively. + +Consider if component proximity is required for application performance reasons. If all or part of the application is highly sensitive to latency, components might need to be co-located which can limit the applicability of multi-region and multi-zone strategies. + +**Resources** + +- [Use Availability Zones](https://learn.microsoft.com/azure/reliability/availability-zones-overview#availability-zones) + +

+ +### WADS-2 - Consider deploying your application across multiple regions + +**Category: Disaster Recovery** + +**Impact: High** + +**Recommendation/Guidance** + +If your application is deployed to a single region, and the region becomes unavailable, your application will also be unavailable. This might be unacceptable under the terms of your application's SLA. + +If so, consider deploying your application and its services across multiple regions. A multiregional deployment can use an active-active or active-passive configuration. + +An active-active configuration distributes requests across multiple active regions. An active-passive configuration keeps warm instances in the secondary region, but doesn't send traffic there unless the primary region fails. + +**Resources** + +- [Design reliable Azure applications](https://learn.microsoft.com/azure/well-architected/resiliency/app-design) +- [Cross-region replication in Azure: Business continuity and disaster recovery](https://learn.microsoft.com/azure/reliability/cross-region-replication-azure) + +

+ +### WADS-3 - Ensure that all fault-points and fault-modes are understood and operationalized + +**Category: Availability** + +**Impact: High** + +**Recommendation/Guidance** + +Ensure that all fault-points and fault-modes are understood and operationalized. + +Failure mode analysis (FMA) is a process for building resiliency into a system, by identifying possible failure points in the system. The FMA should be part of the architecture and design phases, so that you can build failure recovery into the system from the beginning. + +Identify all fault-points and fault-modes. Fault-points describe the elements within an application architecture which can fail, while fault-modes capture the various ways by which a fault-point may fail. To ensure an application is resilient to end-to-end failures, it is essential that all fault-points and fault-modes are understood and operationalized . + +**Resources** + +- [Failure mode analysis for Azure applications](https://learn.microsoft.com/azure/architecture/resiliency/failure-mode-analysis) + +

+ +### WADS-4 - Use PaaS Azure services instead of IaaS + +**Category: System Efficiency** + +**Impact: Medium** + +**Recommendation/Guidance** + +PaaS provides a framework for developing and running apps. As with IaaS, the PaaS provider hosts and maintains the platform's servers, networks, storage, and other computing resources. But PaaS also includes tools, services, and systems that support the web application lifecycle. Developers use the platform to build apps without having to manage backups, security solutions, upgrades, and other administrative tasks. + +**Resources** + +- [Use platform as a service (PaaS) options](https://learn.microsoft.com/azure/architecture/guide/design-principles/managed-services) + +

+ +### WADS-5 - Design the application to scale out + +**Category: System Efficiency** + +**Impact: High** + +**Recommendation/Guidance** + +Azure provides elastic scalability and you should design to scale out. However, applications must leverage a scale-unit approach to navigate service and subscription limits to ensure that individual components and the application as a whole can scale horizontally. Don't forget about scale in, which is important to reduce cost. For example, scale in and out for App Service is done via rules. Often customers write scale out rules and never write scale in rules, which leaves the App Service more expensive. + +**Resources** + +- [Design to scale out](https://learn.microsoft.com/azure/architecture/guide/design-principles/scale-out) + +

+ +### WADS-6 - Create a landing zone for the workload following the Microsoft Cloud Adoption Framework + +**Category: Governance** + +**Impact: Low** + +**Recommendation/Guidance** + +From a workload perspective, a landing zone refers to a prepared platform into which the application gets deployed. A landing zone implementation can have compute, data sources, access controls, and networking components already provisioned. With the required plumbing ready in place; the workload needs to plug into it. + +When considering the overall security, a landing zone offers centralized security capabilities that adds a threat mitigation layer for the workload. Implementations can vary but here are some common strategies that enhance the security posture. + +- Isolation through segmentation. You can isolate assets at several layers from Azure enrollment down to a subscription that has the resources for the workload. +- Consistent adoption of organizational policies, enforce creation and deletion of services and their configuration through Azure Policy. +- Configurations that align with principles of Zero Trust . For instance an implementation might have network connectivity to on-premises data centers. + +**Resources** + +- [Azure landing zone integration](https://learn.microsoft.com/azure/well-architected/security/design-governance-landing-zone) + +

+ +### WADS-7 - Design a BCDR strategy that will help to meet the business requirements + +**Category: Disaster Recovery** + +**Impact: High** + +**Recommendation/Guidance** + +Disaster recovery is the process of restoring application functionality after a catastrophic loss. In cloud environments, we acknowledge up front that failures happen. Instead of trying to prevent failures altogether, the goal is to minimize the effects of a single failing component. + +Testing is one way to minimize these effects. You should automate testing of your applications where possible, but you also need to be prepared for when they fail. When a failure happens, having backup and recovery strategies becomes important. Your tolerance for reduced functionality during a disaster is a business decision that varies from one application to the next. + +It might be acceptable for some applications to be temporarily unavailable, or partially available with reduced functionality or delayed processing. For other applications, any reduced functionality is unacceptable. + +Key points: + +- Create and test a disaster recovery plan regularly using key failure scenarios. +- Design a disaster recovery strategy to run most applications with reduced functionality. +- Design a backup strategy that's tailored for the business requirements and circumstances of the application. +- Automate failover and failback steps and processes. +- Test and validate the failover and failback approach successfully at least once. + +**Resources** + +- [Backup and disaster recovery for Azure applications](https://learn.microsoft.com/azure/well-architected/resiliency/backup-and-recovery) + +

+ +### WADS-8 - Provide security assurance through identity management + +**Category: Access & Security** + +**Impact: Medium** + +**Recommendation/Guidance** + +Provide security assurance through identity management: the process of authenticating and authorizing security principals. Use identity management services to authenticate and grant permission to users, partners, customers, applications, services, and other entities. Identity management is typically a centralized function not controlled by the workload team as a part of the workload's architecture. + +- Define clear lines of responsibility and separation of duties for each function. Restrict access based on a need-to-know basis and least privilege security principles. +- Assign permissions to users, groups, and applications at a certain scope through Azure RBAC. Use built-in roles when possible. +- Prevent deletion or modification of a resource, resource group, or subscription through management locks. +- Use managed identities to access resources in Azure. + +**Resources** + +- [Azure identity and access management considerations](https://learn.microsoft.com/azure/well-architected/security/design-identity) + +

+ +### WADS-9 - Ensure you address security-related risks helps to minimize application downtime and data loss caused by unexpected security exposures + +**Category: Access & Security** + +**Impact: High** + +**Recommendation/Guidance** + +Security is one of the most important aspects of any architecture. It provides the following assurances against deliberate attacks and abuse of your valuable data and systems: Confidentiality ,Integrity, and Availability. +The security of complex systems depends on understanding the business context, social context, and technical context. As you design your system, cover these areas: + +- Ensure that the identity provider (AAD/ADFS/AD/Other) is highly available and aligns with application availability and recovery targets. +- All external application endpoints are secured. +- Communication to Azure PaaS services secured using Virtual Network Service Endpoints or Private Link. +- Keys and secrets are backed-up to geo-redundant storage, and are still available in a failover case. +- Ensure that the process for key rotation is automated and tested. +- Emergency access break glass accounts have been tested and secured for recovering from Identity provider failure scenarios. + +**Resources** + +- [Security design principles](https://learn.microsoft.com/azure/well-architected/security/security-principles) + +

diff --git a/docs/content/well-architected/2-design/code/cm-1/cm-1.azcli b/docs/content/well-architected/2-design/code/cm-1/cm-1.azcli new file mode 100644 index 000000000..53d6ce9b0 --- /dev/null +++ b/docs/content/well-architected/2-design/code/cm-1/cm-1.azcli @@ -0,0 +1 @@ +az resource list --resource-type "Micosoft.Example/changeMe" | jq . diff --git a/docs/content/well-architected/2-design/code/cm-1/cm-1.kql b/docs/content/well-architected/2-design/code/cm-1/cm-1.kql new file mode 100644 index 000000000..8fa0b5a6f --- /dev/null +++ b/docs/content/well-architected/2-design/code/cm-1/cm-1.kql @@ -0,0 +1,6 @@ +// Azure Resource Graph Query +// Brief description of the intent of the query (focus on returning resources NOT following your recommendation, and usually name and ResourceId are enough for the report) +Resources +| where type =~ "Microsoft.Example/changeMe" +| project recommendationId = "cm-1", name, id +| order by id asc diff --git a/docs/content/well-architected/2-design/code/cm-1/cm-1.ps1 b/docs/content/well-architected/2-design/code/cm-1/cm-1.ps1 new file mode 100644 index 000000000..d9007ae40 --- /dev/null +++ b/docs/content/well-architected/2-design/code/cm-1/cm-1.ps1 @@ -0,0 +1 @@ +Get-AzResource -ResourceType "Micrsoft.Example/changeMe" | Select-Object name, location, resourceGroup, properties diff --git a/docs/content/well-architected/2-design/code/cm-2/cm-2.azcli b/docs/content/well-architected/2-design/code/cm-2/cm-2.azcli new file mode 100644 index 000000000..53d6ce9b0 --- /dev/null +++ b/docs/content/well-architected/2-design/code/cm-2/cm-2.azcli @@ -0,0 +1 @@ +az resource list --resource-type "Micosoft.Example/changeMe" | jq . diff --git a/docs/content/well-architected/2-design/code/cm-2/cm-2.kql b/docs/content/well-architected/2-design/code/cm-2/cm-2.kql new file mode 100644 index 000000000..c86d926a9 --- /dev/null +++ b/docs/content/well-architected/2-design/code/cm-2/cm-2.kql @@ -0,0 +1,6 @@ +// Azure Resource Graph Query +// Brief description of the intent of the query (focus on returning resources NOT following your recommendation, and usually name and ResourceId are enough for the report) +Resources +| where type =~ "Microsoft.Example/changeMe2" +| project recommendationId = "cm-2", name, id +| order by id asc diff --git a/docs/content/well-architected/2-design/code/cm-2/cm-2.ps1 b/docs/content/well-architected/2-design/code/cm-2/cm-2.ps1 new file mode 100644 index 000000000..d9007ae40 --- /dev/null +++ b/docs/content/well-architected/2-design/code/cm-2/cm-2.ps1 @@ -0,0 +1 @@ +Get-AzResource -ResourceType "Micrsoft.Example/changeMe" | Select-Object name, location, resourceGroup, properties diff --git a/docs/content/well-architected/3-test/_index.md b/docs/content/well-architected/3-test/_index.md new file mode 100644 index 000000000..fba545a4e --- /dev/null +++ b/docs/content/well-architected/3-test/_index.md @@ -0,0 +1,136 @@ ++++ +title = "3 - Test" +description = "Microsoft Azure Well-Architected Framework best practices and recommendations for the Reliability Stage - 3 - Test" +date = "9/18/23" +weight = 3 +author = "rodrigosantosms" +msAuthor = "rodrigosantosms" +draft = false ++++ + +The presented Microsoft Azure Well-Architected Framework recommendations in this guidance include Reliability Stage "3 - Test (Workload Testing)" and associated resources and their settings. + +Before deploying the system, comprehensive tests are conducted to validate the design and implementation. This stage is crucial for identifying any weaknesses that could compromise reliability. + +## Summary of Recommendations + +{{< table style="table-striped" >}} +| Recommendation | Category | Impact | State | ARG Query Available | +| :---------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :------: | :------: | :-----------------: | +| [WATS-1 - Test your applications for availability and resiliency](#wats-1---test-your-applications-for-availability-and-resiliency) | Application Resilience | Medium | Verified | No | +| [WATS-2 - Consider building logic into your workload to handle errors](#wats-2---consider-building-logic-into-your-workload-to-handle-errors) | Application Resilience | High | Verified | No | +| [WATS-3 - Perform disaster recovery tests reguarly](#wats-3---perform-disaster-recovery-tests-reguarly) | Disaster Recovery | Medium | Verified | No | +| [WATS-4 - Use chaos engineering to test Azure applications](#wats-4---use-chaos-engineering-to-test-azure-applications) | Application Resilience | Medium | Verified | No | +{{< /table >}} + +{{< alert style="info" >}} + +Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}}) + +{{< /alert >}} + +## Recommendations Details + +### WATS-1 - Test your applications for availability and resiliency + +**Category: Application Resilience** + +**Impact: Medium** + +**Recommendation/Guidance** + +Applications should be tested to ensure availability and resiliency. Availability describes the amount of time that an application runs in a healthy state without significant downtime. Resiliency describes how quickly an application recovers from failure. + +Being able to measure availability and resiliency can answer questions like: How much downtime is acceptable? How much does potential downtime cost your business? What are your availability requirements? How much do you invest in making your application highly available? What is the risk versus the cost? Testing plays a critical role in making sure your applications can meet these requirements. + +Key points: + +- Test regularly to validate existing thresholds, targets, and assumptions. +- Automate testing as much as possible. +- Perform testing on both key Test environments and the production environment. +- Verify how the end-to-end workload performs under intermittent failure conditions. +- Test the application against critical functional and nonfunctional requirements for performance. +- Conduct load testing with expected peak volumes to Test scalability and performance under load. +- Perform chaos testing by injecting faults. + +**Resources** + +- [Testing applications for availability and resiliency](https://learn.microsoft.com/azure/well-architected/resiliency/testing) + +

+ +### WATS-2 - Consider building logic into your workload to handle errors + +**Category: Application Resilience** + +**Impact: High** + +**Recommendation/Guidance** + +In a distributed system, ensuring that your application can recover from errors is critical. You can test your applications to prevent errors and failure, but you need to prepare for a wide range of issues. Testing doesn't always catch everything, so you should understand how to handle errors and prevent potential failure. + +Many things in a distributed system, such as underlying cloud infrastructure and third-party runtime dependencies, are outside your span of control and your means to test. You can be sure something will fail eventually, so you need to be prepared. + +Key points: + +- Implement retry logic to handle transient application failures and transient failures with internal or external dependencies. +- Uncover issues or failures in your application's retry logic. +- Configure request timeouts to manage intercomponent calls. +- Configure and test health probes for your load balancers and traffic managers. +- Segregate read operations from update operations across application data stores. + +**Resources** + +- [Error handling for resilient applications in Azure](https://learn.microsoft.com/azure/well-architected/resiliency/app-design-error-handling) + +

+ +### WATS-3 - Perform disaster recovery tests reguarly + +**Category: Disaster Recovery** + +**Impact: Medium** + +**Recommendation/Guidance** + +Disaster recovery is the process of restoring application functionality after a catastrophic loss. +In cloud environments, we acknowledge up front that failures happen. Instead of trying to prevent failures altogether, the goal is to minimize the effects of a single failing component. Testing is one way to minimize these effects. You should automate testing of your applications where possible, but you also need to be prepared for when they fail. When a failure happens, having backup and recovery strategies becomes important. + +Your tolerance for reduced functionality during a disaster is a business decision that varies from one application to the next. It might be acceptable for some applications to be temporarily unavailable, or partially available with reduced functionality or delayed processing. For other applications, any reduced functionality is unacceptable. + +Key points + +- Create and test a disaster recovery plan regularly using key failure scenarios. +- Design a disaster recovery strategy to run most applications with reduced functionality. +- Design a backup strategy that's tailored for the business requirements and circumstances of the application. +- Automate failover and failback steps and processes. +- Test and validate the failover and failback approach successfully at least once. + +**Resources** + +- [Backup and disaster recovery for Azure applications](https://learn.microsoft.com/azure/well-architected/resiliency/backup-and-recovery) + +

+ +### WATS-4 - Use chaos engineering to test Azure applications + +**Category: Application Resilience** + +**Impact: Medium** + +**Recommendation/Guidance** + +Ideally, you should apply chaos principles continuously. There's constant change in the environments in which software and hardware run, so monitoring the changes is key. By constantly applying stress or faults on components, you can help expose issues early, before small problems are compounded by many other factors. + +Apply chaos engineering principles when you: + +- Deploy new code. +- Add dependencies. +- Observe changes in usage patterns. +- Mitigate problems. + +**Resources** + +- [Use chaos engineering to test Azure applications](https://learn.microsoft.com/azure/well-architected/resiliency/chaos-engineering) + +

diff --git a/docs/content/well-architected/3-test/code/cm-1/cm-1.azcli b/docs/content/well-architected/3-test/code/cm-1/cm-1.azcli new file mode 100644 index 000000000..53d6ce9b0 --- /dev/null +++ b/docs/content/well-architected/3-test/code/cm-1/cm-1.azcli @@ -0,0 +1 @@ +az resource list --resource-type "Micosoft.Example/changeMe" | jq . diff --git a/docs/content/well-architected/3-test/code/cm-1/cm-1.kql b/docs/content/well-architected/3-test/code/cm-1/cm-1.kql new file mode 100644 index 000000000..8fa0b5a6f --- /dev/null +++ b/docs/content/well-architected/3-test/code/cm-1/cm-1.kql @@ -0,0 +1,6 @@ +// Azure Resource Graph Query +// Brief description of the intent of the query (focus on returning resources NOT following your recommendation, and usually name and ResourceId are enough for the report) +Resources +| where type =~ "Microsoft.Example/changeMe" +| project recommendationId = "cm-1", name, id +| order by id asc diff --git a/docs/content/well-architected/3-test/code/cm-1/cm-1.ps1 b/docs/content/well-architected/3-test/code/cm-1/cm-1.ps1 new file mode 100644 index 000000000..d9007ae40 --- /dev/null +++ b/docs/content/well-architected/3-test/code/cm-1/cm-1.ps1 @@ -0,0 +1 @@ +Get-AzResource -ResourceType "Micrsoft.Example/changeMe" | Select-Object name, location, resourceGroup, properties diff --git a/docs/content/well-architected/3-test/code/cm-2/cm-2.azcli b/docs/content/well-architected/3-test/code/cm-2/cm-2.azcli new file mode 100644 index 000000000..53d6ce9b0 --- /dev/null +++ b/docs/content/well-architected/3-test/code/cm-2/cm-2.azcli @@ -0,0 +1 @@ +az resource list --resource-type "Micosoft.Example/changeMe" | jq . diff --git a/docs/content/well-architected/3-test/code/cm-2/cm-2.kql b/docs/content/well-architected/3-test/code/cm-2/cm-2.kql new file mode 100644 index 000000000..c86d926a9 --- /dev/null +++ b/docs/content/well-architected/3-test/code/cm-2/cm-2.kql @@ -0,0 +1,6 @@ +// Azure Resource Graph Query +// Brief description of the intent of the query (focus on returning resources NOT following your recommendation, and usually name and ResourceId are enough for the report) +Resources +| where type =~ "Microsoft.Example/changeMe2" +| project recommendationId = "cm-2", name, id +| order by id asc diff --git a/docs/content/well-architected/3-test/code/cm-2/cm-2.ps1 b/docs/content/well-architected/3-test/code/cm-2/cm-2.ps1 new file mode 100644 index 000000000..d9007ae40 --- /dev/null +++ b/docs/content/well-architected/3-test/code/cm-2/cm-2.ps1 @@ -0,0 +1 @@ +Get-AzResource -ResourceType "Micrsoft.Example/changeMe" | Select-Object name, location, resourceGroup, properties diff --git a/docs/content/well-architected/4-deploy/_index.md b/docs/content/well-architected/4-deploy/_index.md new file mode 100644 index 000000000..ed99001ff --- /dev/null +++ b/docs/content/well-architected/4-deploy/_index.md @@ -0,0 +1,70 @@ ++++ +title = "4 - Deploy" +description = "Microsoft Azure Well-Architected Framework best practices and recommendations for the Reliability Stage - 4 - Deploy" +date = "9/18/23" +weight = 4 +author = "rodrigosantosms" +msAuthor = "rodrigosantosms" +draft = false ++++ + +The presented Microsoft Azure Well-Architected Framework recommendations in this guidance include Reliability Stage "4 - Deploy (Automation and Deployment)" and associated resources and their settings. + +At this stage, the system is launched into a production environment. Proper deployment strategies, like blue-green or canary deployments, are used to minimize risks associated with releasing new versions. + +## Summary of Recommendations + +{{< table style="table-striped" >}} +| Recommendation | Category | Impact | State | ARG Query Available | +| :----------------------------------------------------------------------------------------------------------------------- | :--------: | :------: | :------: | :-----------------: | +| [WADP-1 - Avoid manual configuration to enforce consistency with Infrastructure as code](#wadp-1---avoid-manual-configuration-to-enforce-consistency-with-infrastructure-as-code) | Automation | Medium | Verified | No | +| [WADP-2 - Validated all changes in development environments before applying them to Production](#wadp-2---validated-all-changes-in-development-environments-before-applying-them-to-production) | Automation | Medium | Verified | No | +{{< /table >}} + +{{< alert style="info" >}} + +Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}}) + +{{< /alert >}} + +## Recommendations Details + +### WADP-1 - Avoid manual configuration to enforce consistency with Infrastructure as code + +**Category: Automation** + +**Impact: Medium** + +**Recommendation/Guidance** + +Infrastructure as code (IaC) uses DevOps methodology and versioning with a descriptive model to define and deploy infrastructure, such as networks, virtual machines, load balancers, and connection topologies. Just as the same source code always generates the same binary, an IaC model generates the same environment every time it deploys. + +IaC is a key DevOps practice and a component of continuous delivery. With IaC, DevOps teams can work together with a unified set of practices and tools to deliver applications and their supporting infrastructure rapidly and reliably at scale. + +Key Points: + +- Avoid manual configuration to enforce consistency +- Deliver stable test environments rapidly at scale +- Use declarative definition files + +**Resources** + +- [Avoid manual configuration to enforce consistency](https://learn.microsoft.com/devops/deliver/what-is-infrastructure-as-code#avoid-manual-configuration-to-enforce-consistency) + +

+ +### WADP-2 - Validated all changes in development environments before applying them to Production + +**Category: Automation** + +**Impact: Medium** + +**Recommendation/Guidance** + +FILL ME IN... + +**Resources** + +- [Safe deployment practices](https://learn.microsoft.com/devops/operate/safe-deployment-practices) + +

diff --git a/docs/content/well-architected/4-deploy/code/cm-1/cm-1.azcli b/docs/content/well-architected/4-deploy/code/cm-1/cm-1.azcli new file mode 100644 index 000000000..53d6ce9b0 --- /dev/null +++ b/docs/content/well-architected/4-deploy/code/cm-1/cm-1.azcli @@ -0,0 +1 @@ +az resource list --resource-type "Micosoft.Example/changeMe" | jq . diff --git a/docs/content/well-architected/4-deploy/code/cm-1/cm-1.kql b/docs/content/well-architected/4-deploy/code/cm-1/cm-1.kql new file mode 100644 index 000000000..8fa0b5a6f --- /dev/null +++ b/docs/content/well-architected/4-deploy/code/cm-1/cm-1.kql @@ -0,0 +1,6 @@ +// Azure Resource Graph Query +// Brief description of the intent of the query (focus on returning resources NOT following your recommendation, and usually name and ResourceId are enough for the report) +Resources +| where type =~ "Microsoft.Example/changeMe" +| project recommendationId = "cm-1", name, id +| order by id asc diff --git a/docs/content/well-architected/4-deploy/code/cm-1/cm-1.ps1 b/docs/content/well-architected/4-deploy/code/cm-1/cm-1.ps1 new file mode 100644 index 000000000..d9007ae40 --- /dev/null +++ b/docs/content/well-architected/4-deploy/code/cm-1/cm-1.ps1 @@ -0,0 +1 @@ +Get-AzResource -ResourceType "Micrsoft.Example/changeMe" | Select-Object name, location, resourceGroup, properties diff --git a/docs/content/well-architected/4-deploy/code/cm-2/cm-2.azcli b/docs/content/well-architected/4-deploy/code/cm-2/cm-2.azcli new file mode 100644 index 000000000..53d6ce9b0 --- /dev/null +++ b/docs/content/well-architected/4-deploy/code/cm-2/cm-2.azcli @@ -0,0 +1 @@ +az resource list --resource-type "Micosoft.Example/changeMe" | jq . diff --git a/docs/content/well-architected/4-deploy/code/cm-2/cm-2.kql b/docs/content/well-architected/4-deploy/code/cm-2/cm-2.kql new file mode 100644 index 000000000..c86d926a9 --- /dev/null +++ b/docs/content/well-architected/4-deploy/code/cm-2/cm-2.kql @@ -0,0 +1,6 @@ +// Azure Resource Graph Query +// Brief description of the intent of the query (focus on returning resources NOT following your recommendation, and usually name and ResourceId are enough for the report) +Resources +| where type =~ "Microsoft.Example/changeMe2" +| project recommendationId = "cm-2", name, id +| order by id asc diff --git a/docs/content/well-architected/4-deploy/code/cm-2/cm-2.ps1 b/docs/content/well-architected/4-deploy/code/cm-2/cm-2.ps1 new file mode 100644 index 000000000..d9007ae40 --- /dev/null +++ b/docs/content/well-architected/4-deploy/code/cm-2/cm-2.ps1 @@ -0,0 +1 @@ +Get-AzResource -ResourceType "Micrsoft.Example/changeMe" | Select-Object name, location, resourceGroup, properties diff --git a/docs/content/well-architected/5-monitor/_index.md b/docs/content/well-architected/5-monitor/_index.md new file mode 100644 index 000000000..499684528 --- /dev/null +++ b/docs/content/well-architected/5-monitor/_index.md @@ -0,0 +1,122 @@ ++++ +title = "5 - Monitor" +description = "Microsoft Azure Well-Architected Framework best practices and recommendations for the Reliability Stage - 5 - Monitor" +date = "9/18/23" +weight = 5 +author = "rodrigosantosms" +msAuthor = "rodrigosantosms" +draft = false ++++ + +The presented Microsoft Azure Well-Architected Framework recommendations in this guidance include Reliability Stage "5 - Monitor (Observability and Monitoring)" and associated resources and their settings. + +Ongoing monitoring is essential for maintaining system reliability. Key performance indicators (KPIs) are constantly observed to ensure the system is meeting its defined objectives. Services like Azure Monitor, Network Watcher, and Service Health can be invaluable here. + +## Summary of Recommendations + +{{< table style="table-striped" >}} +| Recommendation | Category | Impact | State | ARG Query Available | +| :----------------------------------------------------------------------------------------------------------------------------------------- | :-----------: | :------: | :------: | :-----------------: | +| [WAMN-1 - Make sure your application's health is being monitored](#wamn-1---make-sure-your-applications-health-is-being-monitored) | Monitoring | Medium | Verified | No | +| [WAMN-2 - Define a health model based on performance, availability, and recovery targets](#wamn-2---define-a-health-model-based-on-performance-availability-and-recovery-targets) | Monitoring | Low | Verified | No | +| [WAMN-3 - Create Dashboards and Alerts for Azure Platform resources](#wamn-3---create-dashboards-and-alerts-for-azure-platform-resources) | Monitoring | Low | Verified | No | +| [WAMN-4 - Ensure that the right people in your organization will be notified about any future service issues](#wamn-4---ensure-that-the-right-people-in-your-organization-will-be-notified-about-any-future-service-issues) | Monitoring | Medium | Verified | No | +{{< /table >}} + +{{< alert style="info" >}} + +Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}}) + +{{< /alert >}} + +## Recommendations Details + +### WAMN-1 - Make sure your application's health is being monitored + +**Category: Monitoring** + +**Impact: Medium** + +**Recommendation/Guidance** + +Monitoring and diagnostics are crucial for availability and resiliency. If something fails, you need to know that it failed, when it failed, and why. + +Monitoring isn't the same as failure detection. For example, your application might detect a transient error and retry, avoiding downtime. It should also log the retry operation so that you can monitor the error rate to get an overall picture of application health. + +Key points: + +- Define alerts that are actionable and effectively prioritized. +- Create alerts that poll for services nearing their limits and quotas. +- Use application instrumentation to detect and resolve performance anomalies. +- Track the progress of long-running processes. +- Troubleshoot issues to gain an overall view of application health. +- Document how to analyze, diagnose, and respond to signals being monitored + +**Resources** + +- [Monitoring application health for reliability](https://learn.microsoft.com/azure/well-architected/resiliency/monitoring) + +

+ +### WAMN-2 - Define a health model based on performance, availability, and recovery targets + +**Category: Monitoring** + +**Impact: Low** + +**Recommendation/Guidance** + +The health model should be able to surface the health of critical system flows or key subsystems to ensure that appropriate operational prioritization is applied. For example, the health model should be able to represent the current state of the user sign-in transaction flow. + +The health model shouldn't treat all failures the same. The health model should distinguish between transient and non transient faults. It should clearly distinguish between expected-transient but recoverable failures and a true disaster state. + +Key points: + +- Know how to tell if an application is healthy or unhealthy. +- Understand the effects of logs in diagnostic data. +- Ensure the consistent use of diagnostic settings across the application. +- Use critical system flows in your health model. + +**Resources** + +- [Health modeling for reliability](https://learn.microsoft.com/azure/well-architected/resiliency/monitor-model) + +

+ +### WAMN-3 - Create Dashboards and Alerts for Azure Platform resources + +**Category: Monitoring** + +**Impact: Low** + +**Recommendation/Guidance** + +In this stage, telemetry data is presented so that an operator can quickly notice problems or trends. +Examples include Workbook, Dashboards or email alerts. With Azure Workbooks and/or dashboards, you can build a single pane of glass view of monitoring graphs originating from Application Insights, Log Analytics, Azure Monitor metrics and service health. With Azure Monitor alerts, you can create alerts on service health and resource health. + +**Resources** + +- [Azure Workbooks templates](https://learn.microsoft.com/azure/azure-monitor/visualize/workbooks-templates) + +

+ +### WAMN-4 - Ensure that the right people in your organization will be notified about any future service issues + +**Category: Monitoring** + +**Impact: Medium** + +**Recommendation/Guidance** + +Azure offers a suite of experiences to keep you informed about the health of your cloud resources. The Service Health portal tracks four types of health events that may impact your resources: + +- Service issues - Problems in the Azure services that affect you right now (Outages) +- Planned maintenance - Upcoming maintenance that can affect the availability of your services in the future. +- Health advisories - Changes in Azure services that require your attention. Examples include deprecation of Azure features or upgrade requirements (e.g upgrade to a supported PHP framework). +- Security advisories - Security related notifications or violations that may affect the availability of your Azure services. + +**Resources** + +- [Create a Service Health alert using the Azure portal](https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal#create-a-service-health-alert-using-the-azure-portal) + +

diff --git a/docs/content/well-architected/5-monitor/code/cm-1/cm-1.azcli b/docs/content/well-architected/5-monitor/code/cm-1/cm-1.azcli new file mode 100644 index 000000000..53d6ce9b0 --- /dev/null +++ b/docs/content/well-architected/5-monitor/code/cm-1/cm-1.azcli @@ -0,0 +1 @@ +az resource list --resource-type "Micosoft.Example/changeMe" | jq . diff --git a/docs/content/well-architected/5-monitor/code/cm-1/cm-1.kql b/docs/content/well-architected/5-monitor/code/cm-1/cm-1.kql new file mode 100644 index 000000000..8fa0b5a6f --- /dev/null +++ b/docs/content/well-architected/5-monitor/code/cm-1/cm-1.kql @@ -0,0 +1,6 @@ +// Azure Resource Graph Query +// Brief description of the intent of the query (focus on returning resources NOT following your recommendation, and usually name and ResourceId are enough for the report) +Resources +| where type =~ "Microsoft.Example/changeMe" +| project recommendationId = "cm-1", name, id +| order by id asc diff --git a/docs/content/well-architected/5-monitor/code/cm-1/cm-1.ps1 b/docs/content/well-architected/5-monitor/code/cm-1/cm-1.ps1 new file mode 100644 index 000000000..d9007ae40 --- /dev/null +++ b/docs/content/well-architected/5-monitor/code/cm-1/cm-1.ps1 @@ -0,0 +1 @@ +Get-AzResource -ResourceType "Micrsoft.Example/changeMe" | Select-Object name, location, resourceGroup, properties diff --git a/docs/content/well-architected/5-monitor/code/cm-2/cm-2.azcli b/docs/content/well-architected/5-monitor/code/cm-2/cm-2.azcli new file mode 100644 index 000000000..53d6ce9b0 --- /dev/null +++ b/docs/content/well-architected/5-monitor/code/cm-2/cm-2.azcli @@ -0,0 +1 @@ +az resource list --resource-type "Micosoft.Example/changeMe" | jq . diff --git a/docs/content/well-architected/5-monitor/code/cm-2/cm-2.kql b/docs/content/well-architected/5-monitor/code/cm-2/cm-2.kql new file mode 100644 index 000000000..c86d926a9 --- /dev/null +++ b/docs/content/well-architected/5-monitor/code/cm-2/cm-2.kql @@ -0,0 +1,6 @@ +// Azure Resource Graph Query +// Brief description of the intent of the query (focus on returning resources NOT following your recommendation, and usually name and ResourceId are enough for the report) +Resources +| where type =~ "Microsoft.Example/changeMe2" +| project recommendationId = "cm-2", name, id +| order by id asc diff --git a/docs/content/well-architected/5-monitor/code/cm-2/cm-2.ps1 b/docs/content/well-architected/5-monitor/code/cm-2/cm-2.ps1 new file mode 100644 index 000000000..d9007ae40 --- /dev/null +++ b/docs/content/well-architected/5-monitor/code/cm-2/cm-2.ps1 @@ -0,0 +1 @@ +Get-AzResource -ResourceType "Micrsoft.Example/changeMe" | Select-Object name, location, resourceGroup, properties diff --git a/docs/content/well-architected/6-respond/_index.md b/docs/content/well-architected/6-respond/_index.md new file mode 100644 index 000000000..5d8678396 --- /dev/null +++ b/docs/content/well-architected/6-respond/_index.md @@ -0,0 +1,56 @@ ++++ +title = "6 - Respond" +description = "Microsoft Azure Well-Architected Framework best practices and recommendations for the Reliability Stage - 6 - Respont" +date = "9/18/23" +weight = 6 +author = "rodrigosantosms" +msAuthor = "rodrigosantosms" +draft = false ++++ + +The presented Microsoft Azure Well-Architected Framework recommendations in this guidance include Reliability Stage "6 - Respond (Responding to Failures)" and associated resources and their settings. + +This final stage involves having plans and procedures in place to react to incidents affecting reliability. This includes automated failovers, backup restoration, and escalation protocols for manual intervention. + +## Summary of Recommendations + +{{< table style="table-striped" >}} +| Recommendation | Category | Impact | State | ARG Query Available | +| :---------------------------------------------------------------------------------------------------------- | :---------: | :------: | :------: | :-----------------: | +| [WARD-1 - Implement proactive Incident Response](#ward-1---implement-proactive-incident-response) | Disaster Recovery | High | Verified | No | +{{< /table >}} + +{{< alert style="info" >}} + +Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}}) + +{{< /alert >}} + +## Recommendations Details + +### WARD-1 - Implement proactive Incident Response + +**Category: Disaster Recovery** + +**Impact: High** + +**Recommendation/Guidance** + +Prevention of all problems is a laudable, but impossible goal. Things will go wrong, so we need a plan to limit the impact on our end users and return operations to normal as quickly as possible. + +The key is to respond with urgency, rather than react. A reaction tends to be more impulsive and based in the present moment, without consideration of long-term effects. A response is well-thought-out, organized, and information based. + +Your incident response approach determines your effectiveness at: + +Understanding what’s going on (diagnosing the problem) +Triaging (determining the urgency) and prioritizing the problem +Engaging the right resources to mitigate the issue(s), and +Communicating with stakeholders about the problem +After the problem has been remediated, you can then learn from the incident through a post-incident review process. That's an important subject which has a whole separate module worth of discussion. + +**Resources** + +- [Importance of incident response](https://learn.microsoft.com/training/modules/improve-reliability-incidents/2-importance) +- [Incident tracking](https://learn.microsoft.com/training/modules/improve-reliability-incidents/5-tracking) + +

diff --git a/docs/content/well-architected/6-respond/code/cm-1/cm-1.azcli b/docs/content/well-architected/6-respond/code/cm-1/cm-1.azcli new file mode 100644 index 000000000..53d6ce9b0 --- /dev/null +++ b/docs/content/well-architected/6-respond/code/cm-1/cm-1.azcli @@ -0,0 +1 @@ +az resource list --resource-type "Micosoft.Example/changeMe" | jq . diff --git a/docs/content/well-architected/6-respond/code/cm-1/cm-1.kql b/docs/content/well-architected/6-respond/code/cm-1/cm-1.kql new file mode 100644 index 000000000..8fa0b5a6f --- /dev/null +++ b/docs/content/well-architected/6-respond/code/cm-1/cm-1.kql @@ -0,0 +1,6 @@ +// Azure Resource Graph Query +// Brief description of the intent of the query (focus on returning resources NOT following your recommendation, and usually name and ResourceId are enough for the report) +Resources +| where type =~ "Microsoft.Example/changeMe" +| project recommendationId = "cm-1", name, id +| order by id asc diff --git a/docs/content/well-architected/6-respond/code/cm-1/cm-1.ps1 b/docs/content/well-architected/6-respond/code/cm-1/cm-1.ps1 new file mode 100644 index 000000000..d9007ae40 --- /dev/null +++ b/docs/content/well-architected/6-respond/code/cm-1/cm-1.ps1 @@ -0,0 +1 @@ +Get-AzResource -ResourceType "Micrsoft.Example/changeMe" | Select-Object name, location, resourceGroup, properties diff --git a/docs/content/well-architected/6-respond/code/cm-2/cm-2.azcli b/docs/content/well-architected/6-respond/code/cm-2/cm-2.azcli new file mode 100644 index 000000000..53d6ce9b0 --- /dev/null +++ b/docs/content/well-architected/6-respond/code/cm-2/cm-2.azcli @@ -0,0 +1 @@ +az resource list --resource-type "Micosoft.Example/changeMe" | jq . diff --git a/docs/content/well-architected/6-respond/code/cm-2/cm-2.kql b/docs/content/well-architected/6-respond/code/cm-2/cm-2.kql new file mode 100644 index 000000000..c86d926a9 --- /dev/null +++ b/docs/content/well-architected/6-respond/code/cm-2/cm-2.kql @@ -0,0 +1,6 @@ +// Azure Resource Graph Query +// Brief description of the intent of the query (focus on returning resources NOT following your recommendation, and usually name and ResourceId are enough for the report) +Resources +| where type =~ "Microsoft.Example/changeMe2" +| project recommendationId = "cm-2", name, id +| order by id asc diff --git a/docs/content/well-architected/6-respond/code/cm-2/cm-2.ps1 b/docs/content/well-architected/6-respond/code/cm-2/cm-2.ps1 new file mode 100644 index 000000000..d9007ae40 --- /dev/null +++ b/docs/content/well-architected/6-respond/code/cm-2/cm-2.ps1 @@ -0,0 +1 @@ +Get-AzResource -ResourceType "Micrsoft.Example/changeMe" | Select-Object name, location, resourceGroup, properties diff --git a/docs/content/well-architected/_index.md b/docs/content/well-architected/_index.md new file mode 100644 index 000000000..7d56beca0 --- /dev/null +++ b/docs/content/well-architected/_index.md @@ -0,0 +1,21 @@ ++++ +title = "Well Architected Framework" +description = "Well-Architected Framework" +date = "9/18/23" +weight = 2 +author = "rodrigosantosms" +msAuthor = "rodrigosantosms" +draft = false ++++ + +This page lists all of the Well-Architected Framework Reliability Stages for which the APRL has guidance and recommendations for. + +## Reliability Stages + +{{< alert style="info" >}} + +The below list of Reliability Stages is automatically populated based on the child folders and files in this directory within the source code in the repo. + +{{< /alert >}} + +{{< childpages >}} From 901d5dc1d185306c152cb93e5d31d641dc328eac Mon Sep 17 00:00:00 2001 From: Rodrigo Santos Date: Fri, 22 Sep 2023 23:46:43 -0400 Subject: [PATCH 6/6] query-bug-fixes-standardization --- .../code/vmss-1/vmss-1.kql | 2 +- .../code/vmss-2/vmss-2.kql | 3 - .../code/vmss-3/vmss-3.kql | 3 - .../code/vmss-4/vmss-4.kql | 2 +- .../code/vmss-5/vmss-5.kql | 2 +- .../code/vmss-6/vmss-6.kql | 2 +- .../code/vmss-7/vmss-7.kql | 2 +- .../code/vmss-8/vmss-8.kql | 2 +- .../virtual-machines/code/vm-1/vm-1.kql | 2 +- .../virtual-machines/code/vm-10/vm-10.kql | 2 +- .../virtual-machines/code/vm-18/vm-18.kql | 3 +- .../virtual-machines/code/vm-19/vm-19.kql | 7 +- .../virtual-machines/code/vm-2/vm-2.kql | 2 +- .../virtual-machines/code/vm-20/vm-20.kql | 8 +- .../virtual-machines/code/vm-3/vm-3.kql | 2 +- .../virtual-machines/code/vm-8/vm-8.kql | 2 +- .../container/aks/code/aks-1/aks-1.kql | 7 +- .../container/aks/code/aks-2/aks-2.kql | 6 +- .../container/aks/code/aks-3/aks-3.kql | 7 +- .../container/aks/code/aks-4/aks-4.kql | 7 +- .../container/aks/code/aks-5/aks-5.kql | 5 +- .../services/container/aks/code/cm-1/cm-1.kql | 6 +- .../services/container/aks/code/cm-2/cm-2.kql | 6 +- .../code/cr-3/cr-3.kql | 4 +- .../code/cr-6/cr-6.kql | 4 +- .../cosmosdb/code/cosmos-2/cosmos-2.kql | 2 +- .../cosmosdb/code/cosmos-4/cosmos-4.kql | 4 +- .../log-analytics/code/log-2/log-2.kql | 2 +- .../code/appgw-1/appgw-1.kql | 7 - .../code/appgw-3/appgw-3.kql | 7 - .../code/appgw-4/appgw-4.kql | 8 - .../networking/application-gateway/_index.md | 16 +- .../application-gateway/code/agw-1/agw-1.kql | 2 +- .../application-gateway/code/agw-2/agw-2.kql | 8 +- .../application-gateway/code/agw-3/agw-3.kql | 2 +- .../application-gateway/code/agw-4/agw-4.kql | 2 +- .../application-gateway/code/agw-5/agw-5.kql | 83 ++++---- .../application-gateway/code/agw-6/agw-6.kql | 14 +- .../code/erc-1/erc-1.kql | 2 +- .../code/erc-5/erc-5.kql | 2 +- .../expressroute-gateway/code/erg-1/erg-1.kql | 4 +- .../expressroute-gateway/code/erg-4/erg-4.kql | 2 +- .../networking/firewall/code/afw-1/afw-1.kql | 3 +- .../firewall/code/afw-2/afw-2-rosantosf2.kql | 1 - .../networking/firewall/code/afw-2/afw-2.kql | 4 +- .../networking/firewall/code/afw-3/afw-3.kql | 2 +- .../firewall/code/afw-4/afw-4-rosantosf2.kql | 1 - .../networking/firewall/code/afw-4/afw-4.kql | 4 +- .../networking/firewall/code/afw-5/afw-5.kql | 4 +- .../firewall/code/afw-6/afw-6-rosantosf2.kql | 1 - .../networking/firewall/code/afw-6/afw-6.kql | 4 +- .../firewall/code/afw-7/afw-7-rosantosf2.kql | 1 - .../networking/firewall/code/afw-7/afw-7.kql | 4 +- .../code/afd-1/afd-1-rosantosf2.kql | 3 - .../front-door/code/afd-1/afd-1.kql | 2 +- .../code/afd-10/afd-10-rosantosf2.kql | 4 - .../front-door/code/afd-10/afd-10.kql | 2 +- .../front-door/code/afd-11/afd-11.kql | 2 +- .../networking/traffic-manager/_index.md | 24 +-- .../storage/storage-Account/_index.md | 4 +- services-abbreviations.csv | 179 ++++++++++++++++++ 61 files changed, 324 insertions(+), 190 deletions(-) delete mode 100644 docs/content/services/networking/Application Gateway/code/appgw-1/appgw-1.kql delete mode 100644 docs/content/services/networking/Application Gateway/code/appgw-3/appgw-3.kql delete mode 100644 docs/content/services/networking/Application Gateway/code/appgw-4/appgw-4.kql delete mode 100644 docs/content/services/networking/firewall/code/afw-2/afw-2-rosantosf2.kql delete mode 100644 docs/content/services/networking/firewall/code/afw-4/afw-4-rosantosf2.kql delete mode 100644 docs/content/services/networking/firewall/code/afw-6/afw-6-rosantosf2.kql delete mode 100644 docs/content/services/networking/firewall/code/afw-7/afw-7-rosantosf2.kql delete mode 100644 docs/content/services/networking/front-door/code/afd-1/afd-1-rosantosf2.kql delete mode 100644 docs/content/services/networking/front-door/code/afd-10/afd-10-rosantosf2.kql create mode 100644 services-abbreviations.csv diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-1/vmss-1.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-1/vmss-1.kql index 708448e54..37c0dd5cc 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-1/vmss-1.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-1/vmss-1.kql @@ -3,4 +3,4 @@ resources | where type == "microsoft.compute/virtualmachinescalesets" | where properties.orchestrationMode != "Flexible" -| project recommendationId = "vmss-1", name, id, orchestrationMode = strcat("orchestrationMode: ", tostring(properties.orchestrationMode)) +| project recommendationId = "vmss-1", name, id, param1 = strcat("orchestrationMode: ", tostring(properties.orchestrationMode)) diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-2/vmss-2.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-2/vmss-2.kql index 91c74cc3a..5e039f9a0 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-2/vmss-2.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-2/vmss-2.kql @@ -1,5 +1,2 @@ // Azure Resource Graph Query // Under development -// resources -//| where type == "microsoft.compute/virtualmachinescalesets" -//| project recommendationId = "vmss-2", name, id diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-3/vmss-3.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-3/vmss-3.kql index 7fd291150..5e039f9a0 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-3/vmss-3.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-3/vmss-3.kql @@ -1,5 +1,2 @@ // Azure Resource Graph Query // Under development -// resources -//| where type == "microsoft.compute/virtualmachinescalesets" -//| project recommendationId = "vmss-3", name, id \ No newline at end of file diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-4/vmss-4.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-4/vmss-4.kql index 4e7ed19b1..27922af9a 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-4/vmss-4.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-4/vmss-4.kql @@ -10,5 +10,5 @@ resources | project id = tostring(properties.targetResourceUri), autoscalesettings = properties ) on id | where isnull(autoscalesettings) or autoscalesettings.enabled == "false" -| project recommendationId = "vmss-4", name, id, autoscalesettings = "autoscalesettings: Manual" +| project recommendationId = "vmss-4", name, id, param1 = "autoscalesettings: Manual" | order by id asc diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-5/vmss-5.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-5/vmss-5.kql index 44529526f..dfee74e64 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-5/vmss-5.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-5/vmss-5.kql @@ -10,5 +10,5 @@ resources | project id = tostring(properties.targetResourceUri), autoscalesettings = properties ) on id | where isnull(autoscalesettings) or autoscalesettings.enabled == "disabled" and autoscalesettings.predictiveAutoscalePolicy.scaleMode == "Disabled" -| project recommendationId = "vmss-5", name, id, predictiveAutoscalePolicy_scaleMode = "predictiveAutoscalePolicy_scaleMode: Disabled" +| project recommendationId = "vmss-5", name, id, param1 = "predictiveAutoscalePolicy_scaleMode: Disabled" | order by id asc diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-6/vmss-6.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-6/vmss-6.kql index d21591ba6..c0d9db40c 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-6/vmss-6.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-6/vmss-6.kql @@ -3,5 +3,5 @@ resources | where type == "microsoft.compute/virtualmachinescalesets" | where properties.orchestrationMode == "Uniform" and properties.zoneBalance == "True" -| project recommendationId = "vmss-6", name, id, zoneBalance = "strictly zoneBalance: Enabled" +| project recommendationId = "vmss-6", name, id, param1 = "strictly zoneBalance: Enabled" | order by id asc diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-7/vmss-7.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-7/vmss-7.kql index d2570e479..13ce0ac37 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-7/vmss-7.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-7/vmss-7.kql @@ -3,5 +3,5 @@ resources | where type == "microsoft.compute/virtualmachinescalesets" | where properties.platformFaultDomainCount > 1 -| project recommendationId = "vmss-7", name, id, platformFaultDomainCount = "platformFaultDomainCount: Static" +| project recommendationId = "vmss-7", name, id, param1 = "platformFaultDomainCount: Static" | order by id asc diff --git a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-8/vmss-8.kql b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-8/vmss-8.kql index 14afd2ec0..c3e94a1b8 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-8/vmss-8.kql +++ b/docs/content/services/compute/virtual-machine-scale-sets/code/vmss-8/vmss-8.kql @@ -3,5 +3,5 @@ resources | where type == "microsoft.compute/virtualmachinescalesets" | where array_length(zones) <= 1 or isnull(zones) -| project recommendationId = "vmss-8", name, id, AvailabilityZones = "AvailabilityZones: Single Zone" +| project recommendationId = "vmss-8", name, id, param1 = "AvailabilityZones: Single Zone" | order by id asc diff --git a/docs/content/services/compute/virtual-machines/code/vm-1/vm-1.kql b/docs/content/services/compute/virtual-machines/code/vm-1/vm-1.kql index 187c3c85d..3b091b3e1 100644 --- a/docs/content/services/compute/virtual-machines/code/vm-1/vm-1.kql +++ b/docs/content/services/compute/virtual-machines/code/vm-1/vm-1.kql @@ -12,4 +12,4 @@ resources | where type =~ 'Microsoft.Compute/virtualMachines' | project resourceGroup, name, id )on resourceGroup -| project recommendationId = "vm-1", name, id, resourceGroup +| project recommendationId = "vm-1", name, id, param1=resourceGroup diff --git a/docs/content/services/compute/virtual-machines/code/vm-10/vm-10.kql b/docs/content/services/compute/virtual-machines/code/vm-10/vm-10.kql index 1cb16d338..0120f0b0a 100644 --- a/docs/content/services/compute/virtual-machines/code/vm-10/vm-10.kql +++ b/docs/content/services/compute/virtual-machines/code/vm-10/vm-10.kql @@ -11,5 +11,5 @@ Resources | project nicName = tostring(split(tostring(id), '/')[8]) ) on nicName | summarize NicNames = make_set(nicName) by name, id -| project recommendationId = "vm-10", name, id, NicNames +| project recommendationId = "vm-10", name, id, param1=NicNames | order by id asc diff --git a/docs/content/services/compute/virtual-machines/code/vm-18/vm-18.kql b/docs/content/services/compute/virtual-machines/code/vm-18/vm-18.kql index 464de8953..0a0d762ec 100644 --- a/docs/content/services/compute/virtual-machines/code/vm-18/vm-18.kql +++ b/docs/content/services/compute/virtual-machines/code/vm-18/vm-18.kql @@ -5,5 +5,4 @@ PolicyResources | where properties.complianceState == 'NonCompliant' | extend vmResourceId = properties.resourceId, vmresourceType = properties.resourceType, PolicyAssignmentName = properties.policyAssignmentName | where vmresourceType == 'Microsoft.Compute/virtualMachines' -| project recommendationId = "vm-18", vmName = tostring(split(tostring(properties.resourceId), '/')[8]), vmResourceId, Policyname = name -| order by vmName asc +| project recommendationId = "vm-18", name = tostring(split(tostring(properties.resourceId), '/')[8]), id=vmResourceId, param1 = strcat ("Policyname: ", name) diff --git a/docs/content/services/compute/virtual-machines/code/vm-19/vm-19.kql b/docs/content/services/compute/virtual-machines/code/vm-19/vm-19.kql index 5d52ddc53..c5cae4fd8 100644 --- a/docs/content/services/compute/virtual-machines/code/vm-19/vm-19.kql +++ b/docs/content/services/compute/virtual-machines/code/vm-19/vm-19.kql @@ -1,7 +1,8 @@ // Azure Resource Graph Query // Find all disks that are not encrypted -Resources +resources | where type == "microsoft.compute/disks" -| project recommendationId="vm-19", diskName=name, id, encryptionType=properties.encryption.type, diskState=properties.diskState +| extend encryptionType = properties.encryption.type +| extend diskState = properties.diskState | where encryptionType !in ("EncryptionAtRestWithCustomerKey", "EncryptionAtRestWithPlatformAndCustomerKeys", "EncryptionAtRestWithPlatformKey") -| order by diskName asc +| project recommendationId="vm-19", name, id, param1=strcat("encryptionType: " , properties.encryption.type), param2= strcat ("diskstate: ", properties.diskState) diff --git a/docs/content/services/compute/virtual-machines/code/vm-2/vm-2.kql b/docs/content/services/compute/virtual-machines/code/vm-2/vm-2.kql index 3d593194e..5855d7cfd 100644 --- a/docs/content/services/compute/virtual-machines/code/vm-2/vm-2.kql +++ b/docs/content/services/compute/virtual-machines/code/vm-2/vm-2.kql @@ -3,4 +3,4 @@ Resources | where type =~ 'Microsoft.Compute/virtualMachines' | where isnull(zones) -| project recommendationId = "vm-2", name, id, Zones="No Zone" +| project recommendationId = "vm-2", name, id, param1="Zones: No Zone" diff --git a/docs/content/services/compute/virtual-machines/code/vm-20/vm-20.kql b/docs/content/services/compute/virtual-machines/code/vm-20/vm-20.kql index 580a73593..54c014d43 100644 --- a/docs/content/services/compute/virtual-machines/code/vm-20/vm-20.kql +++ b/docs/content/services/compute/virtual-machines/code/vm-20/vm-20.kql @@ -1,18 +1,18 @@ // Azure Resource Graph Query // Find all VMs that do not have the VM Insights extension installed -Resources +resources | where type == 'microsoft.compute/virtualmachines' | extend JoinID = toupper(id), vmName = name, OSType = tostring(properties.storageProfile.osDisk.osType) | join kind=leftouter( - Resources + resources | where type == 'microsoft.compute/virtualmachines/extensions' | extend VMId = toupper(substring(id, 0, indexof(id, '/extensions'))), ExtensionName = name ) on $left.JoinID == $right.VMId | where ExtensionName !contains "MicrosoftMonitoringAgent" and ExtensionName !contains "Microsoft.Azure.Monitoring.DependencyAgent" and ExtensionName !contains "OMSAgentForLinux" and ExtensionName !contains "DependencyAgentLinux" -| summarize Extensions = make_list(ExtensionName) by recommendationId="vm-20", vmName, id, OSType -| order by tolower(vmName) asc +| summarize param2 = strcat ("Extensions: ", make_list(ExtensionName)) by recommendationId="vm-20", name=vmName, id, param1=OSType +| order by tolower(name) asc diff --git a/docs/content/services/compute/virtual-machines/code/vm-3/vm-3.kql b/docs/content/services/compute/virtual-machines/code/vm-3/vm-3.kql index 2752f92fb..713b4d38f 100644 --- a/docs/content/services/compute/virtual-machines/code/vm-3/vm-3.kql +++ b/docs/content/services/compute/virtual-machines/code/vm-3/vm-3.kql @@ -8,4 +8,4 @@ Resources | summarize VMs = make_set(vmPrefix) by availabilitySet = tostring(properties.availabilitySet.id) | where array_length(VMs) > 1 | extend availabilitySetName = tostring(split(availabilitySet, '/')[8]) -| project recommendationId = "vm-3", availabilitySetName, availabilitySet, VMs +| project recommendationId = "vm-3", name=availabilitySetName, id="", param1=strcat("availabilitySet: ",availabilitySet), param2 = strcat("VMs :", VMs) diff --git a/docs/content/services/compute/virtual-machines/code/vm-8/vm-8.kql b/docs/content/services/compute/virtual-machines/code/vm-8/vm-8.kql index 796b8b4f3..1f8b4c6c8 100644 --- a/docs/content/services/compute/virtual-machines/code/vm-8/vm-8.kql +++ b/docs/content/services/compute/virtual-machines/code/vm-8/vm-8.kql @@ -4,4 +4,4 @@ Resources | where type =~ 'Microsoft.Compute/disks' | where sku.name == 'Standard_LRS' and sku.tier == 'Standard' | where managedBy != "" -| project recommendationId = "vm-8", name, id, managedBy +| project recommendationId = "vm-8", name, id, param1=strcat("managedBy: ", managedBy) diff --git a/docs/content/services/container/aks/code/aks-1/aks-1.kql b/docs/content/services/container/aks/code/aks-1/aks-1.kql index 592d09a00..acd9eec9e 100644 --- a/docs/content/services/container/aks/code/aks-1/aks-1.kql +++ b/docs/content/services/container/aks/code/aks-1/aks-1.kql @@ -1,6 +1,7 @@ // Azure Resource Graph Query -// Query AKS clusters with availability zones enabled -Resources +// Query AKS clusters not using zones +resources | where type == "microsoft.containerservice/managedclusters" | extend zones = tostring(parse_json(properties.agentPoolProfiles[0].availabilityZones)) -| project name, zones +| where isempty(zones) +| project recommendationid="aks-1", name, id, param1=strcat("zones: ", zones) diff --git a/docs/content/services/container/aks/code/aks-2/aks-2.kql b/docs/content/services/container/aks/code/aks-2/aks-2.kql index aeefa79c0..118dcd3b5 100644 --- a/docs/content/services/container/aks/code/aks-2/aks-2.kql +++ b/docs/content/services/container/aks/code/aks-2/aks-2.kql @@ -1,5 +1,7 @@ // Azure Resource Graph Query -// Find AKS clusters with taints. +// Find AKS clusters not using taints. +resources | where type == "microsoft.containerservice/managedclusters" | extend taint = tostring(parse_json(properties.agentPoolProfiles[1].nodeTaints)) -| project name, taint +| where isempty(taint) +| project recommendationid="aks-2", name, id, param1=strcat("taint: ", taint) diff --git a/docs/content/services/container/aks/code/aks-3/aks-3.kql b/docs/content/services/container/aks/code/aks-3/aks-3.kql index e05ad7a0a..1489d56b3 100644 --- a/docs/content/services/container/aks/code/aks-3/aks-3.kql +++ b/docs/content/services/container/aks/code/aks-3/aks-3.kql @@ -1,8 +1,9 @@ // Azure Resource Graph Query -//description: Returns a list of AKS clusters with AAD enabled -Resources +// Returns a list of AKS clusters not using AAD enabled +resources | where type == "microsoft.containerservice/managedclusters" | extend aadProfile = tostring (parse_json(properties.aadProfile)) | extend disablelocalAdmin = tostring(parse_json(properties.disableLocalAccounts)) | extend RBAC = tostring(parse_json(properties.enableRBAC)) -| project name, aadProfile, disablelocalAdmin, RBAC +| where RBAC == "false" +| project recommendationId="aks-3", name, id, param1=strcat("aadProfile: ", aadProfile), param2=strcat("disablelocalAdmin: ",disablelocalAdmin), param3=strcat("RBAC: ", RBAC) diff --git a/docs/content/services/container/aks/code/aks-4/aks-4.kql b/docs/content/services/container/aks/code/aks-4/aks-4.kql index 85ed111e5..ec1404aa6 100644 --- a/docs/content/services/container/aks/code/aks-4/aks-4.kql +++ b/docs/content/services/container/aks/code/aks-4/aks-4.kql @@ -1,6 +1,7 @@ // Azure Resource Graph Query -// Network Profile for AKS Clusters -Resources +// Check AKS Clusters using kubenet network profile +resources | where type == "microsoft.containerservice/managedclusters" | extend networkProfile = tostring (parse_json(properties.networkProfile.networkPlugin)) -| project name, networkProfile +| where networkProfile =="kubenet" +| project recommendationId="aks-4", name,id,param1=strcat("networkProfile :",networkProfile) diff --git a/docs/content/services/container/aks/code/aks-5/aks-5.kql b/docs/content/services/container/aks/code/aks-5/aks-5.kql index f9f9395db..196cf59f9 100644 --- a/docs/content/services/container/aks/code/aks-5/aks-5.kql +++ b/docs/content/services/container/aks/code/aks-5/aks-5.kql @@ -1,6 +1,7 @@ // Azure Resource Graph Query -// Find AKS clusters with auto-scaling enabled +// Find AKS clusters with auto-scaling disabled Resources | where type == "microsoft.containerservice/managedclusters" | extend autoScaling = tostring (parse_json(properties.agentPoolProfiles.[0].enableAutoScaling)) -| project name, autoScaling +| where autoScaling == "false" +| project recommendationId="aks-5", name, id, param1=strcat("autoScaling :", autoScaling) diff --git a/docs/content/services/container/aks/code/cm-1/cm-1.kql b/docs/content/services/container/aks/code/cm-1/cm-1.kql index 8fa0b5a6f..5e039f9a0 100644 --- a/docs/content/services/container/aks/code/cm-1/cm-1.kql +++ b/docs/content/services/container/aks/code/cm-1/cm-1.kql @@ -1,6 +1,2 @@ // Azure Resource Graph Query -// Brief description of the intent of the query (focus on returning resources NOT following your recommendation, and usually name and ResourceId are enough for the report) -Resources -| where type =~ "Microsoft.Example/changeMe" -| project recommendationId = "cm-1", name, id -| order by id asc +// Under development diff --git a/docs/content/services/container/aks/code/cm-2/cm-2.kql b/docs/content/services/container/aks/code/cm-2/cm-2.kql index c86d926a9..2480a1ac3 100644 --- a/docs/content/services/container/aks/code/cm-2/cm-2.kql +++ b/docs/content/services/container/aks/code/cm-2/cm-2.kql @@ -1,6 +1,2 @@ // Azure Resource Graph Query -// Brief description of the intent of the query (focus on returning resources NOT following your recommendation, and usually name and ResourceId are enough for the report) -Resources -| where type =~ "Microsoft.Example/changeMe2" -| project recommendationId = "cm-2", name, id -| order by id asc +// under development diff --git a/docs/content/services/container/azure-container-registry/code/cr-3/cr-3.kql b/docs/content/services/container/azure-container-registry/code/cr-3/cr-3.kql index 15b7d4a09..c6201b296 100644 --- a/docs/content/services/container/azure-container-registry/code/cr-3/cr-3.kql +++ b/docs/content/services/container/azure-container-registry/code/cr-3/cr-3.kql @@ -11,5 +11,5 @@ resources ) on registryId | project-away registryId1, replicationId | where isempty(replicationRegion) -| project recommendationId = "vm-1", registryName, registryId -| order by registryId asc +| project recommendationId = "vm-1", name=registryName, id=registryId +| order by id asc diff --git a/docs/content/services/container/azure-container-registry/code/cr-6/cr-6.kql b/docs/content/services/container/azure-container-registry/code/cr-6/cr-6.kql index 64ba9f1ee..29e16300a 100644 --- a/docs/content/services/container/azure-container-registry/code/cr-6/cr-6.kql +++ b/docs/content/services/container/azure-container-registry/code/cr-6/cr-6.kql @@ -4,5 +4,5 @@ resources | project resourceGroup, resourceType = type | summarize resourceTypes = make_set(resourceType) by resourceGroup | where array_index_of(resourceTypes, "microsoft.containerregistry/registries") != -1 -| project recommendationId = "cr-6", resourceGroup, resourceTypes -| order by resourceGroup asc +| project recommendationId = "cr-6", name=strcat("resourceGroup: ",resourceGroup), id="", resourceTypes +| order by name asc diff --git a/docs/content/services/database/cosmosdb/code/cosmos-2/cosmos-2.kql b/docs/content/services/database/cosmosdb/code/cosmos-2/cosmos-2.kql index 73cb8764e..9f25dcf7c 100644 --- a/docs/content/services/database/cosmosdb/code/cosmos-2/cosmos-2.kql +++ b/docs/content/services/database/cosmosdb/code/cosmos-2/cosmos-2.kql @@ -1,4 +1,4 @@ -Resources +resources | where type =~ 'Microsoft.DocumentDb/databaseAccounts' | where array_length(properties.locations) > 1 and diff --git a/docs/content/services/database/cosmosdb/code/cosmos-4/cosmos-4.kql b/docs/content/services/database/cosmosdb/code/cosmos-4/cosmos-4.kql index 651ac4187..d7386c2c6 100644 --- a/docs/content/services/database/cosmosdb/code/cosmos-4/cosmos-4.kql +++ b/docs/content/services/database/cosmosdb/code/cosmos-4/cosmos-4.kql @@ -1,4 +1,4 @@ //This query returns default consistency level for all Cosmos DB accounts. -Resources +resources | where type =~ 'Microsoft.DocumentDb/databaseAccounts' -| project recommendationId='cosmos-4', name, consistency=properties.consistencyPolicy.defaultConsistencyLevel, id +| project recommendationId='cosmos-4', name, id, param1=strcat("consistency: ", properties.consistencyPolicy.defaultConsistencyLevel) diff --git a/docs/content/services/monitoring/log-analytics/code/log-2/log-2.kql b/docs/content/services/monitoring/log-analytics/code/log-2/log-2.kql index 6794daa02..a547fdd3c 100644 --- a/docs/content/services/monitoring/log-analytics/code/log-2/log-2.kql +++ b/docs/content/services/monitoring/log-analytics/code/log-2/log-2.kql @@ -3,4 +3,4 @@ resources | where type == 'microsoft.operationalinsights/clusters' | extend AvailabilityZonesEnabled = tostring(properties.isAvailabilityZonesEnabled) -| project name, resourceGroup, AvailabilityZonesEnabled +| project recommendationId="log-2", name, id, param1=strcat("AvailabilityZonesEnabled: ", AvailabilityZonesEnabled) diff --git a/docs/content/services/networking/Application Gateway/code/appgw-1/appgw-1.kql b/docs/content/services/networking/Application Gateway/code/appgw-1/appgw-1.kql deleted file mode 100644 index e19ce7336..000000000 --- a/docs/content/services/networking/Application Gateway/code/appgw-1/appgw-1.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Azure Resource Graph Query -// This query will return all Application Gateways that do not have autoscale enabled or have a min capacity of 1 -resources -| where type =~ "microsoft.network/applicationGateways" -| where isnull(properties.capacity.autoScaleConfiguration) or properties.capacity.autoScaleConfiguration.minCapacity <= 1 -| project recommendationId = "appgw-1", name, id, param1 = "autoScaleConfiguration: isNull or MinCapacity <= 1" -| order by id asc diff --git a/docs/content/services/networking/Application Gateway/code/appgw-3/appgw-3.kql b/docs/content/services/networking/Application Gateway/code/appgw-3/appgw-3.kql deleted file mode 100644 index bb78140a3..000000000 --- a/docs/content/services/networking/Application Gateway/code/appgw-3/appgw-3.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Azure Resource Graph Query -// This query will return all Application Gateways that do not have WAF enabled -Resources -| where type =~ "microsoft.network/applicationGateways" -| where isnull(properties.webApplicationFirewallConfiguration) -| project recommendationId = "appgw-3", name, id, param1 = "webApplicationFirewallConfiguration: isNull" -| order by id asc diff --git a/docs/content/services/networking/Application Gateway/code/appgw-4/appgw-4.kql b/docs/content/services/networking/Application Gateway/code/appgw-4/appgw-4.kql deleted file mode 100644 index 7f15898e3..000000000 --- a/docs/content/services/networking/Application Gateway/code/appgw-4/appgw-4.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Azure Resource Graph Query -// This query will return all Application Gateways in your Azure environment and will identify if they are v1 or v2 -resources -| where type =~ "microsoft.network/applicationGateways" -| extend sku = tolower(tostring(properties.sku.name)) -| where sku != "waf_v2" and sku != "standard_v2" -| project recommendationId = "appgw-4", name, id, param1 = "sku: v1" -| order by id asc diff --git a/docs/content/services/networking/application-gateway/_index.md b/docs/content/services/networking/application-gateway/_index.md index c8768d016..a6009f0d7 100644 --- a/docs/content/services/networking/application-gateway/_index.md +++ b/docs/content/services/networking/application-gateway/_index.md @@ -48,7 +48,7 @@ Definitions of states can be found [here]({{< ref "../../../_index.md#definition **Resource Graph Query/Scripts** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/AGW-1/AGW-1.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/agw-1/agw-1.kql" >}} {{< /code >}} {{< /collapse >}}

@@ -72,7 +72,7 @@ Ensure that all incoming connections are using HTTP/s for production services. {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/AGW-2/AGW-2.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/agw-2/agw-2.kql" >}} {{< /code >}} {{< /collapse >}} @@ -95,7 +95,7 @@ Use Application Gateway with Web Application Firewall (WAF) within an applicatio {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/AGW-3/AGW-3.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/agw-3/agw-3.kql" >}} {{< /code >}} {{< /collapse >}} @@ -119,7 +119,7 @@ You should use Application Gateway v2 unless there is a compelling reason for us {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/AGW-4/AGW-4.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/agw-4/agw-4.kql" >}} {{< /code >}} {{< /collapse >}} @@ -142,7 +142,7 @@ Enable logs that can be stored in storage accounts, Log Analytics, and other mon {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/AGW-5/AGW-5.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/agw-5/agw-5.kql" >}} {{< /code >}} {{< /collapse >}} @@ -165,7 +165,7 @@ Using custom health probes can help with understand the availability of your bac {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/AGW-6/AGW-6.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/agw-6/agw-6.kql" >}} {{< /code >}} {{< /collapse >}} @@ -188,7 +188,7 @@ Deploying your backend services in a zone-aware configurations ensures that if a {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/AGW-7/AGW-7.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/agw-7/agw-7.kql" >}} {{< /code >}} {{< /collapse >}} @@ -211,7 +211,7 @@ Plan for backend maintenance by using connection draining. Connection draining h {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/AGW-8/AGW-8.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/agw-8/agw-8.kql" >}} {{< /code >}} {{< /collapse >}} diff --git a/docs/content/services/networking/application-gateway/code/agw-1/agw-1.kql b/docs/content/services/networking/application-gateway/code/agw-1/agw-1.kql index e19ce7336..9ea597974 100644 --- a/docs/content/services/networking/application-gateway/code/agw-1/agw-1.kql +++ b/docs/content/services/networking/application-gateway/code/agw-1/agw-1.kql @@ -3,5 +3,5 @@ resources | where type =~ "microsoft.network/applicationGateways" | where isnull(properties.capacity.autoScaleConfiguration) or properties.capacity.autoScaleConfiguration.minCapacity <= 1 -| project recommendationId = "appgw-1", name, id, param1 = "autoScaleConfiguration: isNull or MinCapacity <= 1" +| project recommendationId = "agw-1", name, id, param1 = "autoScaleConfiguration: isNull or MinCapacity <= 1" | order by id asc diff --git a/docs/content/services/networking/application-gateway/code/agw-2/agw-2.kql b/docs/content/services/networking/application-gateway/code/agw-2/agw-2.kql index 7c7e2501c..36ae854b4 100644 --- a/docs/content/services/networking/application-gateway/code/agw-2/agw-2.kql +++ b/docs/content/services/networking/application-gateway/code/agw-2/agw-2.kql @@ -1,5 +1,5 @@ -Resources +resources | where type == "microsoft.network/applicationGateways" -| extend ssl_enabled = tobool(properties.sslCertificates[0].keyVaultSecretId != null or properties.sslCertificates[0].keyVaultSecretUrl != null) -| where properties.frontendPorts[0].port == 443 and ssl_enabled == true -| project name, ssl_enabled +| extend ssl_enabled = tobool(isnotnull(properties.sslCertificates[0].keyVaultSecretId) or isnotnull(properties.sslCertificates[0].keyVaultSecretUrl)) +| where properties.frontendPorts[0].port == 443 and ssl_enabled == "true" +| project recommendationId="agw-2",name,id, param1=strcat("ssl_enabled: ", ssl_enabled) diff --git a/docs/content/services/networking/application-gateway/code/agw-3/agw-3.kql b/docs/content/services/networking/application-gateway/code/agw-3/agw-3.kql index bb78140a3..4c4e54bd1 100644 --- a/docs/content/services/networking/application-gateway/code/agw-3/agw-3.kql +++ b/docs/content/services/networking/application-gateway/code/agw-3/agw-3.kql @@ -3,5 +3,5 @@ Resources | where type =~ "microsoft.network/applicationGateways" | where isnull(properties.webApplicationFirewallConfiguration) -| project recommendationId = "appgw-3", name, id, param1 = "webApplicationFirewallConfiguration: isNull" +| project recommendationId = "agw-3", name, id, param1 = "webApplicationFirewallConfiguration: isNull" | order by id asc diff --git a/docs/content/services/networking/application-gateway/code/agw-4/agw-4.kql b/docs/content/services/networking/application-gateway/code/agw-4/agw-4.kql index 7f15898e3..1a3548dfd 100644 --- a/docs/content/services/networking/application-gateway/code/agw-4/agw-4.kql +++ b/docs/content/services/networking/application-gateway/code/agw-4/agw-4.kql @@ -4,5 +4,5 @@ resources | where type =~ "microsoft.network/applicationGateways" | extend sku = tolower(tostring(properties.sku.name)) | where sku != "waf_v2" and sku != "standard_v2" -| project recommendationId = "appgw-4", name, id, param1 = "sku: v1" +| project recommendationId = "agw-4", name, id, param1 = "sku: v1" | order by id asc diff --git a/docs/content/services/networking/application-gateway/code/agw-5/agw-5.kql b/docs/content/services/networking/application-gateway/code/agw-5/agw-5.kql index e8ebd247c..ffd06390e 100644 --- a/docs/content/services/networking/application-gateway/code/agw-5/agw-5.kql +++ b/docs/content/services/networking/application-gateway/code/agw-5/agw-5.kql @@ -1,41 +1,42 @@ -Resources -| where type == "microsoft.network/applicationGateways" -| extend resourceId = tostring(id) -| join (Resources - | where type == "microsoft.insights/components" - | extend componentName = name - | extend componentResourceId = id - | project componentResourceId, componentName - ) on $left.resourceId == $right.componentResourceId -| extend startDateTime = ago(30d) -| extend endDateTime = now() -| mvexpand componentName -| summarize by name, componentName, componentResourceId -| project name, componentName, componentResourceId, - appGatewayLogs = make_list( - { - type = "ApplicationGatewayAccess", - workspace = componentName, - startDateTime = startDateTime, - endDateTime = endDateTime, - resourceId = resourceId - } - ), - appGatewayConfigLogs = make_list( - { - type = "ApplicationGatewayConfig", - workspace = componentName, - startDateTime = startDateTime, - endDateTime = endDateTime, - resourceId = resourceId - } - ), - appGatewayWafLogs = make_list( - { - type = "ApplicationGatewayFirewallLog", - workspace = componentName, - startDateTime = startDateTime, - endDateTime = endDateTime, - resourceId = resourceId - } - ) +// under development +// resources +// where type == "microsoft.network/applicationGateways" +//| extend resourceId = tostring(id) +//| join (Resources +// | where type == "microsoft.insights/components" +// | extend componentName = name +// | extend componentResourceId = id +// | project componentResourceId, componentName +// ) on $left.resourceId == $right.componentResourceId +//| extend startDateTime = ago(30d) +//| extend endDateTime = now() +//| mvexpand componentName +//| summarize by name, componentName, componentResourceId +//| project name, componentName, componentResourceId, +// appGatewayLogs = make_list( +// { +// type = "ApplicationGatewayAccess", + // workspace = componentName, +// startDateTime = startDateTime, +// endDateTime = endDateTime, +// resourceId = resourceId +// } +// ), +// appGatewayConfigLogs = make_list( +// { +// type = "ApplicationGatewayConfig", +// workspace = componentName, +// startDateTime = startDateTime, +// endDateTime = endDateTime, +// resourceId = resourceId +// } +// ), +// appGatewayWafLogs = make_list( +// { +// type = "ApplicationGatewayFirewallLog", +// workspace = componentName, +// startDateTime = startDateTime, +// endDateTime = endDateTime, +// resourceId = resourceId +// } +// ) diff --git a/docs/content/services/networking/application-gateway/code/agw-6/agw-6.kql b/docs/content/services/networking/application-gateway/code/agw-6/agw-6.kql index 4739b38f8..0c9a30355 100644 --- a/docs/content/services/networking/application-gateway/code/agw-6/agw-6.kql +++ b/docs/content/services/networking/application-gateway/code/agw-6/agw-6.kql @@ -1,6 +1,8 @@ -Resources -| where type == "microsoft.network/applicationGateways" -| extend appGatewayResourceId = tostring(id) -| mvexpand probeConfig = properties.probes -| where probeConfig.probeName != "GatewaySslCertificate" -| project appGatewayResourceId, customHealthProbeUsed = iif(isnotempty(probeConfig.pickHostName), "Yes", "No") +//under development +//Resources +//| where type == "microsoft.network/applicationGateways" +//| extend appGatewayResourceId = tostring(id) +//| mvexpand probeConfig = properties.probes +//| where probeConfig.probeName != "GatewaySslCertificate" +//| where iif(isnotempty(probeConfig.pickHostName), "Yes", "No") +//| project recommendationId="agw-6",name, id, param1=strcat("appGatewayResourceId: ", appGatewayResourceId), param2=strcat("customHealthProbeUsed :", customHealthProbeUsed) diff --git a/docs/content/services/networking/expressroute-circuits/code/erc-1/erc-1.kql b/docs/content/services/networking/expressroute-circuits/code/erc-1/erc-1.kql index 59e0bfbf1..5ef2c647d 100644 --- a/docs/content/services/networking/expressroute-circuits/code/erc-1/erc-1.kql +++ b/docs/content/services/networking/expressroute-circuits/code/erc-1/erc-1.kql @@ -4,5 +4,5 @@ Resources | where type =~ 'Microsoft.Network/expressRouteCircuits' | where properties.value[0].provisioningState != 'Succeeded' or properties.value[1].provisioningState != 'Succeeded' | where not(properties.peerings[0].properties.primaryPeerAddressPrefix != "null" and properties.peerings[0].properties.secondaryPeerAddressPrefix != "null") -| project recommendationId = "erc-1", name, id, Peer1_IP = properties.peerings[0].properties.primaryPeerAddressPrefix, Peer2_IP = properties.peerings[0].properties.secondaryPeerAddressPrefix +| project recommendationId = "erc-1", name, id, param1 = strcat("Peer1_IP: ",properties.peerings[0].properties.primaryPeerAddressPrefix), param2=strcat("Peer2_IP: ", properties.peerings[0].properties.secondaryPeerAddressPrefix) | order by id asc diff --git a/docs/content/services/networking/expressroute-circuits/code/erc-5/erc-5.kql b/docs/content/services/networking/expressroute-circuits/code/erc-5/erc-5.kql index 415b51d50..a945f61a0 100644 --- a/docs/content/services/networking/expressroute-circuits/code/erc-5/erc-5.kql +++ b/docs/content/services/networking/expressroute-circuits/code/erc-5/erc-5.kql @@ -11,4 +11,4 @@ resources | where type =~ "microsoft.network/expressRouteCircuits" | project name, rightErCId = id) on $left.ErCId == $right.rightErCId -| project recommendationId = "erc-5", name, ExpressRouteCircuitID = rightErCId, monitoredMetrics +| project recommendationId = "erc-5", name, param1=strcat("ExpressRouteCircuitID: ", rightErCId), param2=strcat("monitoredMetrics: ",monitoredMetrics) diff --git a/docs/content/services/networking/expressroute-gateway/code/erg-1/erg-1.kql b/docs/content/services/networking/expressroute-gateway/code/erg-1/erg-1.kql index 353be67e8..ee27d6759 100644 --- a/docs/content/services/networking/expressroute-gateway/code/erg-1/erg-1.kql +++ b/docs/content/services/networking/expressroute-gateway/code/erg-1/erg-1.kql @@ -1,8 +1,8 @@ // Azure Resource Graph Query // For all VNGs of type ExpressRoute, show any that do not have AZ in the SKU tier -Resources +resources | where type =~ "Microsoft.Network/virtualNetworkGateways" | where properties.gatewayType == "ExpressRoute" | where properties.sku.tier !contains 'AZ' -| project recommendationId = "ergw-1", name, id, ["sku-tier"] = properties.sku.tier, location +| project recommendationId = "ergw-1", name, id, param1= strcat("sku-tier: " , properties.sku.tier), param2=location | order by id asc diff --git a/docs/content/services/networking/expressroute-gateway/code/erg-4/erg-4.kql b/docs/content/services/networking/expressroute-gateway/code/erg-4/erg-4.kql index 6a61133cf..f764b9037 100644 --- a/docs/content/services/networking/expressroute-gateway/code/erg-4/erg-4.kql +++ b/docs/content/services/networking/expressroute-gateway/code/erg-4/erg-4.kql @@ -11,5 +11,5 @@ resources | extend region = tostring(location) | extend ErGwName = tostring(name) ) on region -| project recommendationId = "erg-4", name, id, ErGwName, region +| project recommendationId = "erg-4", name, id, param1=strcat("ErGwName: ",ErGwName), param2=region | order by id asc diff --git a/docs/content/services/networking/firewall/code/afw-1/afw-1.kql b/docs/content/services/networking/firewall/code/afw-1/afw-1.kql index 08e038983..bb6998b6e 100644 --- a/docs/content/services/networking/firewall/code/afw-1/afw-1.kql +++ b/docs/content/services/networking/firewall/code/afw-1/afw-1.kql @@ -1,3 +1,4 @@ // Find Azure Firewalls that have been deployed as non-zonal/noo-zone-redundant resources -Resources +resources | where type == 'microsoft.network/azurefirewalls' and zones != "" +| project recommendationid="afw-1",name, id diff --git a/docs/content/services/networking/firewall/code/afw-2/afw-2-rosantosf2.kql b/docs/content/services/networking/firewall/code/afw-2/afw-2-rosantosf2.kql deleted file mode 100644 index 1911226b1..000000000 --- a/docs/content/services/networking/firewall/code/afw-2/afw-2-rosantosf2.kql +++ /dev/null @@ -1 +0,0 @@ -// in development diff --git a/docs/content/services/networking/firewall/code/afw-2/afw-2.kql b/docs/content/services/networking/firewall/code/afw-2/afw-2.kql index 010c16666..7b5bb5473 100644 --- a/docs/content/services/networking/firewall/code/afw-2/afw-2.kql +++ b/docs/content/services/networking/firewall/code/afw-2/afw-2.kql @@ -1,3 +1 @@ -Resources -| where type =~ "Microsoft.Example/changeMe" -| summarize count() by location +// under development diff --git a/docs/content/services/networking/firewall/code/afw-3/afw-3.kql b/docs/content/services/networking/firewall/code/afw-3/afw-3.kql index 0f630f061..9947b7bbd 100644 --- a/docs/content/services/networking/firewall/code/afw-3/afw-3.kql +++ b/docs/content/services/networking/firewall/code/afw-3/afw-3.kql @@ -6,4 +6,4 @@ resources | project firewallId = properties_scopes, monitoredMetric = properties_criteria_allOf.metricName | summarize monitoredMetrics=make_list(monitoredMetric) by tostring(firewallId) | join kind=fullouter (resources | where type == "microsoft.network/azurefirewalls" | project rightFirewallId = id) on $left.firewallId == $right.rightFirewallId -| project firewallId = rightFirewallId, monitoredMetrics +| project recommendationid="afw-3",name, id, param1= rightFirewallId, param2= monitoredMetrics diff --git a/docs/content/services/networking/firewall/code/afw-4/afw-4-rosantosf2.kql b/docs/content/services/networking/firewall/code/afw-4/afw-4-rosantosf2.kql deleted file mode 100644 index 1911226b1..000000000 --- a/docs/content/services/networking/firewall/code/afw-4/afw-4-rosantosf2.kql +++ /dev/null @@ -1 +0,0 @@ -// in development diff --git a/docs/content/services/networking/firewall/code/afw-4/afw-4.kql b/docs/content/services/networking/firewall/code/afw-4/afw-4.kql index 010c16666..7b5bb5473 100644 --- a/docs/content/services/networking/firewall/code/afw-4/afw-4.kql +++ b/docs/content/services/networking/firewall/code/afw-4/afw-4.kql @@ -1,3 +1 @@ -Resources -| where type =~ "Microsoft.Example/changeMe" -| summarize count() by location +// under development diff --git a/docs/content/services/networking/firewall/code/afw-5/afw-5.kql b/docs/content/services/networking/firewall/code/afw-5/afw-5.kql index 7a5b11c73..eb9db4705 100644 --- a/docs/content/services/networking/firewall/code/afw-5/afw-5.kql +++ b/docs/content/services/networking/firewall/code/afw-5/afw-5.kql @@ -2,10 +2,10 @@ resources | where type == "microsoft.network/azurefirewalls" | mv-expand properties.ipConfigurations -| project firewallId = id, vNet= substring(properties_ipConfigurations.properties.subnet.id, 0, indexof(properties_ipConfigurations.properties.subnet,"/subnet") - 7) +| project name, firewallId = id, vNet= substring(properties_ipConfigurations.properties.subnet.id, 0, indexof(properties_ipConfigurations.properties.subnet,"/subnet") - 7) | join kind=fullouter (resources | where type == "microsoft.network/ddosprotectionplans" | mv-expand properties.virtualNetworks | extend vNet = tostring(properties_virtualNetworks.id) | project ddosProtectionPlan = id, vNet) on $left.vNet == $right.vNet -| project firewallId, ddosProtectionPlan +| project recommendationId="afw-5", name, id=firewallId, param1=strcat("ddosProtectionPlan: ", ddosProtectionPlan) diff --git a/docs/content/services/networking/firewall/code/afw-6/afw-6-rosantosf2.kql b/docs/content/services/networking/firewall/code/afw-6/afw-6-rosantosf2.kql deleted file mode 100644 index 1911226b1..000000000 --- a/docs/content/services/networking/firewall/code/afw-6/afw-6-rosantosf2.kql +++ /dev/null @@ -1 +0,0 @@ -// in development diff --git a/docs/content/services/networking/firewall/code/afw-6/afw-6.kql b/docs/content/services/networking/firewall/code/afw-6/afw-6.kql index 010c16666..de7d795ad 100644 --- a/docs/content/services/networking/firewall/code/afw-6/afw-6.kql +++ b/docs/content/services/networking/firewall/code/afw-6/afw-6.kql @@ -1,3 +1 @@ -Resources -| where type =~ "Microsoft.Example/changeMe" -| summarize count() by location +//under development diff --git a/docs/content/services/networking/firewall/code/afw-7/afw-7-rosantosf2.kql b/docs/content/services/networking/firewall/code/afw-7/afw-7-rosantosf2.kql deleted file mode 100644 index 1911226b1..000000000 --- a/docs/content/services/networking/firewall/code/afw-7/afw-7-rosantosf2.kql +++ /dev/null @@ -1 +0,0 @@ -// in development diff --git a/docs/content/services/networking/firewall/code/afw-7/afw-7.kql b/docs/content/services/networking/firewall/code/afw-7/afw-7.kql index 010c16666..7b5bb5473 100644 --- a/docs/content/services/networking/firewall/code/afw-7/afw-7.kql +++ b/docs/content/services/networking/firewall/code/afw-7/afw-7.kql @@ -1,3 +1 @@ -Resources -| where type =~ "Microsoft.Example/changeMe" -| summarize count() by location +// under development diff --git a/docs/content/services/networking/front-door/code/afd-1/afd-1-rosantosf2.kql b/docs/content/services/networking/front-door/code/afd-1/afd-1-rosantosf2.kql deleted file mode 100644 index 1b9387c18..000000000 --- a/docs/content/services/networking/front-door/code/afd-1/afd-1-rosantosf2.kql +++ /dev/null @@ -1,3 +0,0 @@ -resources -| where type == "microsoft.Network/trafficmanagerprofiles" or type == "microsoft.cdn/profiles" -| project recommendationId = "afd-1", name, id diff --git a/docs/content/services/networking/front-door/code/afd-1/afd-1.kql b/docs/content/services/networking/front-door/code/afd-1/afd-1.kql index 43e186e81..1b9387c18 100644 --- a/docs/content/services/networking/front-door/code/afd-1/afd-1.kql +++ b/docs/content/services/networking/front-door/code/afd-1/afd-1.kql @@ -1,3 +1,3 @@ resources | where type == "microsoft.Network/trafficmanagerprofiles" or type == "microsoft.cdn/profiles" -| project recommendationId = "fd-1", name, id +| project recommendationId = "afd-1", name, id diff --git a/docs/content/services/networking/front-door/code/afd-10/afd-10-rosantosf2.kql b/docs/content/services/networking/front-door/code/afd-10/afd-10-rosantosf2.kql deleted file mode 100644 index a438d6a60..000000000 --- a/docs/content/services/networking/front-door/code/afd-10/afd-10-rosantosf2.kql +++ /dev/null @@ -1,4 +0,0 @@ -resources -| where type == "microsoft.cdn/cdnwebapplicationfirewallpolicies" -| where properties['policySettings']['enabledState'] == "Enabled" -| project recommendationId = "afd-10", name, id diff --git a/docs/content/services/networking/front-door/code/afd-10/afd-10.kql b/docs/content/services/networking/front-door/code/afd-10/afd-10.kql index 42d565491..a438d6a60 100644 --- a/docs/content/services/networking/front-door/code/afd-10/afd-10.kql +++ b/docs/content/services/networking/front-door/code/afd-10/afd-10.kql @@ -1,4 +1,4 @@ resources | where type == "microsoft.cdn/cdnwebapplicationfirewallpolicies" | where properties['policySettings']['enabledState'] == "Enabled" -| project recommendationId = "fd-10", name, id +| project recommendationId = "afd-10", name, id diff --git a/docs/content/services/networking/front-door/code/afd-11/afd-11.kql b/docs/content/services/networking/front-door/code/afd-11/afd-11.kql index 9c76b0579..51060d474 100644 --- a/docs/content/services/networking/front-door/code/afd-11/afd-11.kql +++ b/docs/content/services/networking/front-door/code/afd-11/afd-11.kql @@ -1,4 +1,4 @@ resources | where type == "microsoft.network/frontdoorwebapplicationfirewallpolicies" | where properties['managedRules']['managedRuleSets'][0]['ruleSetType'] == "Microsoft_DefaultRuleSet" -| project recommendationId = "fd-11", name, id +| project recommendationId = "afd-11", name, id diff --git a/docs/content/services/networking/traffic-manager/_index.md b/docs/content/services/networking/traffic-manager/_index.md index ea6bb6aab..e1a61529b 100644 --- a/docs/content/services/networking/traffic-manager/_index.md +++ b/docs/content/services/networking/traffic-manager/_index.md @@ -40,14 +40,14 @@ Definitions of states can be found [here]({{< ref "../../../_index.md#definition **Resources** -- [Azure Traffic Manager endpoint monitoring](https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-monitoring) -- [Enable or disable health checks](https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-monitoring#enable-or-disable-health-checks-preview) -- [Troubleshooting degraded state on Azure Traffic Manager](https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-troubleshooting-degraded) +- [Azure Traffic Manager endpoint monitoring](https://learn.microsoft.com/azure/traffic-manager/traffic-manager-monitoring) +- [Enable or disable health checks](https://learn.microsoft.com/azure/traffic-manager/traffic-manager-monitoring#enable-or-disable-health-checks-preview) +- [Troubleshooting degraded state on Azure Traffic Manager](https://learn.microsoft.com/azure/traffic-manager/traffic-manager-troubleshooting-degraded) **Resource Graph Query/Scripts** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/TRAF-1/TRAF-1.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/traf-1/traf-1.kql" >}} {{< /code >}} {{< /collapse >}}

@@ -61,13 +61,13 @@ When configuring the Azure traffic manager, you should provision minimum of two **Resources** -- [Traffic Manager Endpoint Types](https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-endpoint-types) +- [Traffic Manager Endpoint Types](https://learn.microsoft.com/azure/traffic-manager/traffic-manager-endpoint-types) **Resource Graph Query/Scripts** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/TRAF-2/TRAF-2.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/traf-2/traf-2.kql" >}} {{< /code >}} {{< /collapse >}} @@ -84,13 +84,13 @@ Profiles should have more than one endpoint to ensure availability if one of the **Resources** - [Reliability recommendations -](https://learn.microsoft.com/en-us/azure/advisor/advisor-reference-reliability-recommendations#add-at-least-one-more-endpoint-to-the-profile-preferably-in-another-azure-region) +](https://learn.microsoft.com/azure/advisor/advisor-reference-reliability-recommendations#add-at-least-one-more-endpoint-to-the-profile-preferably-in-another-azure-region) **Resource Graph Query/Scripts** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/TRAF-3/TRAF-3.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/traf-3/traf-3.kql" >}} {{< /code >}} {{< /collapse >}} @@ -106,14 +106,14 @@ Time to Live (TTL) affects how recent of a response a client will get when it ma **Resources** -- [Configure DNS Time to Live to 60 seconds).](https://learn.microsoft.com/en-us/azure/advisor/advisor-reference-performance-recommendations#configure-dns-time-to-live-to-60-seconds) +- [Configure DNS Time to Live to 60 seconds).](https://learn.microsoft.com/azure/advisor/advisor-reference-performance-recommendations#configure-dns-time-to-live-to-60-seconds) - [Traffic Manager profile - ProfileTTL (Configure DNS Time to Live to 60 seconds).](https://aka.ms/Um3xr5) **Resource Graph Query/Scripts** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/TRAF-4/TRAF-4.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/traf-4/traf-4.kql" >}} {{< /code >}} {{< /collapse >}} @@ -129,14 +129,14 @@ For geographic routing, traffic is routed to endpoints based on defined regions. **Resources** -- [Add an endpoint configured to "All (World)"](https://learn.microsoft.com/en-us/azure/advisor/advisor-reference-reliability-recommendations#add-an-endpoint-configured-to-all-world) +- [Add an endpoint configured to "All (World)"](https://learn.microsoft.com/azure/advisor/advisor-reference-reliability-recommendations#add-an-endpoint-configured-to-all-world) - [Traffic Manager profile - GeographicProfile (Add an endpoint configured to ""All (World)"").](https://aka.ms/Rf7vc5) **Resource Graph Query/Scripts** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/TRAF-5/TRAF-5.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/traf-5/traf-5.kql" >}} {{< /code >}} {{< /collapse >}} diff --git a/docs/content/services/storage/storage-Account/_index.md b/docs/content/services/storage/storage-Account/_index.md index b9cf7fefc..ef05e7ae2 100644 --- a/docs/content/services/storage/storage-Account/_index.md +++ b/docs/content/services/storage/storage-Account/_index.md @@ -106,7 +106,7 @@ Consider using appropriate storage performance tier for standard storage / block {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="/code/st-3/st-3.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/st-3/st-3.kql" >}} {{< /code >}} {{< /collapse >}} @@ -130,7 +130,7 @@ Block blobs are optimized for uploading large amounts of data efficiently. Block {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="/code/st-4/st-4.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/st-4/st-4.kql" >}} {{< /code >}} {{< /collapse >}} diff --git a/services-abbreviations.csv b/services-abbreviations.csv new file mode 100644 index 000000000..12e3dd1b7 --- /dev/null +++ b/services-abbreviations.csv @@ -0,0 +1,179 @@ +Azure Service Name,Abbreviation,Resource provider namespace +Azure Cognitive Search,srch,Microsoft.Search/searchServices +Azure Cognitive Services,cog,Microsoft.CognitiveServices/accounts +Azure Machine Learning workspace,mlw,Microsoft.MachineLearningServices/workspaces +Azure Analysis Services server,as,Microsoft.AnalysisServices/servers +Azure Databricks,dbw,Microsoft.Databricks/workspaces +Azure Data Explorer cluster,dec,Microsoft.Kusto/clusters +Azure Data Explorer cluster database,dedb,Microsoft.Kusto/clusters/databases +Azure Data Factory,adf,Microsoft.DataFactory/factories +Azure Digital Twin instance,dt,Microsoft.DigitalTwins/digitalTwinsInstances +Azure Stream Analytics,asa,Microsoft.StreamAnalytics/cluster +Azure Synapse Analytics Workspaces,synw,Microsoft.Synapse/workspaces +Azure Synapse Analytics SQL Dedicated Pool,syndp,Microsoft.Synapse/workspaces/sqlPools +Azure Synapse Analytics Spark Pool,synsp,Microsoft.Synapse/workspaces/sqlPools +Data Lake Store account,dls,Microsoft.DataLakeStore/accounts +Data Lake Analytics account,dla,Microsoft.DataLakeAnalytics/accounts +Event Hubs namespace,evhns,Microsoft.EventHub/namespaces +Event hub,evh,Microsoft.EventHub/namespaces/eventHubs +Event Grid,evg,Microsoft.EventGrid/domains +Event Grid domain,evgd,Microsoft.EventGrid/domains +Event Grid subscriptions,evgs,Microsoft.EventGrid/eventSubscriptions +Event Grid topic,evgt,Microsoft.EventGrid/domains/topics +Event Grid system topic,egst,Microsoft.EventGrid/systemTopics +HDInsight - Hadoop cluster,hadoop,Microsoft.HDInsight/clusters +HDInsight - HBase cluster,hbase,Microsoft.HDInsight/clusters +HDInsight - Kafka cluster,kafka,Microsoft.HDInsight/clusters +HDInsight - Spark cluster,spark,Microsoft.HDInsight/clusters +HDInsight - Storm cluster,storm,Microsoft.HDInsight/clusters +HDInsight - ML Services cluster,mls,Microsoft.HDInsight/clusters +IoT hub,iot,Microsoft.Devices/IotHubs +Provisioning services,provs,Microsoft.Devices/provisioningServices +Provisioning services certificate,pcert,Microsoft.Devices/provisioningServices/certificates +Power BI Embedded,pbi,Microsoft.PowerBIDedicated/capacities +Time Series Insights environment,tsi,Microsoft.TimeSeriesInsights/environments +App Service environment,ase,Microsoft.Web/hostingEnvironments +App Service Plan,asp,Microsoft.Web/serverFarms +Azure Load Testing instance,lt,Microsoft.LoadTestService/loadTests +Availability set,avail,Microsoft.Compute/availabilitySets +Azure Arc enabled server,arcs,Microsoft.HybridCompute/machines +Azure Arc enabled Kubernetes cluster,arck,Microsoft.Kubernetes/connectedClusters +Batch accounts,ba,Microsoft.Batch/batchAccounts +Cloud service,cld,Microsoft.Compute/cloudServices +Communication Services,acs,Microsoft.Communication/communicationServices +Disk encryption set,des,Microsoft.Compute/diskEncryptionSets +Function app,func,Microsoft.Web/sites +Gallery,gal,Microsoft.Compute/galleries +Hosting environment,host,Microsoft.Web/hostingEnvironments +Image template,it,Microsoft.VirtualMachineImages/imageTemplates +Managed disk (OS),osdisk,Microsoft.Compute/disks +Managed disk (data),disk,Microsoft.Compute/disks +Notification Hubs,ntf,Microsoft.NotificationHubs/namespaces/notificationHubs +Notification Hubs namespace,ntfns,Microsoft.NotificationHubs/namespaces +Proximity placement group,ppg,Microsoft.Compute/proximityPlacementGroups +Snapshot,snap,Microsoft.Compute/snapshots +Static web app,stapp,Microsoft.Web/staticSites +Virtual machine,vm,Microsoft.Compute/virtualMachines +Virtual machine scale set,vmss,Microsoft.Compute/virtualMachineScaleSets +Virtual machine maintenance configuration,mc,Microsoft.Maintenance/maintenanceConfigurations +Web app,app,Microsoft.Web/sites +AKS cluster,aks,Microsoft.ContainerService/managedClusters +Container apps,ca,Microsoft.App/containerApps +Container apps environment,cae,Microsoft.App/managedEnvironments +Container registry,cr,Microsoft.ContainerRegistry/registries +Container instance,ci,Microsoft.ContainerInstance/containerGroups +Service Fabric cluster,sf,Microsoft.ServiceFabric/clusters +Service Fabric managed cluster,sfmc,Microsoft.ServiceFabric/managedClusters +Azure Cosmos DB database,cosmos,Microsoft.DocumentDB/databaseAccounts/sqlDatabases +Azure Cosmos DB for Apache Cassandra account,coscas,Microsoft.DocumentDB/databaseAccounts +Azure Cosmos DB for MongoDB account,cosmon,Microsoft.DocumentDB/databaseAccounts +Azure Cosmos DB for NoSQL account,cosno,Microsoft.DocumentDb/databaseAccounts +Azure Cosmos DB for Table account,costab,Microsoft.DocumentDb/databaseAccounts +Azure Cosmos DB for Apache Gremlin account,cosgrm,Microsoft.DocumentDb/databaseAccounts +Azure Cosmos DB PostgreSQL cluster,cospos,Microsoft.DBforPostgreSQL/serverGroupsv2 +Azure Cache for Redis instance,redis,Microsoft.Cache/Redis +Azure SQL Database server,sql,Microsoft.Sql/servers +Azure SQL database,sqldb,Microsoft.Sql/servers/databases +Azure SQL Elastic Job agent,sqlja,Microsoft.Sql/servers/jobAgents +Azure SQL Elastic Pool,sqlep,Microsoft.Sql/servers/elasticpool +MariaDB server,maria,Microsoft.DBforMariaDB/servers +MariaDB database,mariadb,Microsoft.DBforMariaDB/servers/databases +MySQL database,mysql,Microsoft.DBforMySQL/servers +PostgreSQL database,psql,Microsoft.DBforPostgreSQL/servers +SQL Server Stretch Database,sqlstrdb,Microsoft.Sql/servers/databases +SQL Managed Instance,sqlmi,Microsoft.Sql/managedInstances +App Configuration store,appcs,Microsoft.AppConfiguration/configurationStores +Maps account,map,Microsoft.Maps/accounts +SignalR,sigr,Microsoft.SignalRService/SignalR +WebPubSub,wps,Microsoft.SignalRService/webPubSub +Azure Managed Grafana,amg,Microsoft.Dashboard/grafana +API management service instance,apim,Microsoft.ApiManagement/service +Integration account,ia,Microsoft.Logic/integrationAccounts +Logic apps,logic,Microsoft.Logic/workflows +Service Bus namespace,sbns,Microsoft.ServiceBus/namespaces +Service Bus queue,sbq,Microsoft.ServiceBus/namespaces/queues +Service Bus topic,sbt,Microsoft.ServiceBus/namespaces/topics +Service Bus topic subscription,sbts,Microsoft.ServiceBus/namespaces/topics/subscriptions +Automation account,aa,Microsoft.Automation/automationAccounts +Azure Policy definition,poldef,Microsoft.Authorization/policyDefinitions +Alerts,monal,"microsoft.insights/activityLogAlerts, +Microsoft.Insights/metricAlerts, +microsoft.insights/scheduledqueryrules, +microsoft.alertsmanagement/smartdetectoralertrules" +Application Insights,appi,Microsoft.Insights/components +Azure Monitor action group,ag,Microsoft.Insights/actionGroups +Azure Monitor data collection rules,dcr,Microsoft.Insights/dataCollectionRules +Blueprint,bp,Microsoft.Blueprint/blueprints +Blueprint assignment,bpa,Microsoft.Blueprint/blueprints/artifacts +Log Analytics workspace,log,Microsoft.OperationalInsights/workspaces +Log Analytics query packs,pack,Microsoft.OperationalInsights/querypacks +Management group,mg,Microsoft.Management/managementGroups +Microsoft Purview instance,pview,Microsoft.Purview/accounts +Resource group,rg,Microsoft.Resources/resourceGroups +Template specs name,ts,Microsoft.Resources/templateSpecs +Azure Migrate project,migr,Microsoft.Migrate/assessmentProjects +Database Migration Service instance,dms,Microsoft.DataMigration/services +Recovery Services vault,rsv,Microsoft.RecoveryServices/vaults +Application gateway,agw,Microsoft.Network/applicationGateways +Application security group (ASG),asg,Microsoft.Network/applicationSecurityGroups +CDN profile,cdnp,Microsoft.Cdn/profiles +CDN endpoint,cdne,Microsoft.Cdn/profiles/endpoints +Connections,con,Microsoft.Network/connections +Ddos Protection Plan,ddos,Microsoft.Network/connections +DNS,pbdnsz,Microsoft.Network/dnsZones +DNS private resolver,dnspr,Microsoft.Network/dnsResolvers +DNS private resolver inbound endpoint,in,Microsoft.Network/dnsResolvers/inboundEndpoints +DNS private resolver outbound endpoint,out,Microsoft.Network/dnsResolvers/outboundEndpoints +Private DNS Zone,pvdnsz,Microsoft.Network/privateDnsZones +Azure Firewall,afw,Microsoft.Network/azureFirewalls +Firewall policy,afwp,Microsoft.Network/firewallPolicies +ExpressRoute circuit,erc,Microsoft.Network/expressRouteCircuits +ExpressRoute Gateway,erg,Microsoft.Network/expressRouteGateway +Azure Front Door,afd,Microsoft.Cdn/profiles +Front Door (Standard/Premium) endpoint,fde,Microsoft.Cdn/profiles/afdEndpoints +Front Door firewall policy,fdfp,Microsoft.Network/frontdoorWebApplicationFirewallPolicies +Front Door (classic),afd,Microsoft.Network/frontDoors +Load balancer,lb,Microsoft.Network/loadBalancers +Local network gateway,lgw,Microsoft.Network/localNetworkGateways +NAT gateway,ng,Microsoft.Network/natGateways +Network security group,nsg,Microsoft.Network/networkSecurityGroups +Network Watcher,nw,Microsoft.Network/networkWatchers +Private Link,pl,Microsoft.Network/privateLinkServices +Private endpoint,pep,Microsoft.Network/privateEndpoints +Public IP,pip,Microsoft.Network/publicIPAddresses +Public IP address prefix,ippre,Microsoft.Network/publicIPPrefixes +Route filter,rf,Microsoft.Network/routeFilters +Route server,rtserv,Microsoft.Network/virtualHubs +Route table,rt,Microsoft.Network/routeTables +Service endpoint policy,se,Microsoft.serviceEndPointPolicies +Traffic Manager profiles,traf,Microsoft.Network/trafficManagerProfiles +Route Table,udr,Microsoft.Network/routeTables/routes +Virtual network,vnet,Microsoft.Network/virtualNetworks +Virtual WAN,vwan,Microsoft.Network/virtualWans +Virtual network gateway,vgw,Microsoft.Network/virtualNetworkGateways +Azure Bastion,bas,Microsoft.Network/bastionHosts +Key vault,kv,Microsoft.KeyVault/vaults +Managed identity,id,Microsoft.ManagedIdentity/userAssignedIdentities +VPN Gateway,vpng,Microsoft.Network/vpnGateways +VPN connection,vcn,Microsoft.Network/vpnGateways/vpnConnections +VPN site,vst,Microsoft.Network/vpnGateways/vpnSites +Web Application Firewall,waf,Microsoft.Network/firewallPolicies +Web Application Firewall (WAF) policy rule group,wafrg,Microsoft.Network/firewallPolicies/ruleGroups +Azure Netapp Files,anf,Microsoft.NetApp/netAppAccounts +Azure StorSimple,ssimp,Microsoft.StorSimple/managers +Backup Vault name,bvault,Microsoft.DataProtection/backupVaults +Backup Vault policy,bkpol,Microsoft.DataProtection/backupVaults/backupPolicies +File share,share,Microsoft.Storage/storageAccounts/fileServices/shares +Storage account,st,Microsoft.Storage/storageAccounts +Storage Sync Service name,sss,Microsoft.StorageSync/storageSyncServices +Virtual desktop host pool,vdpool,Microsoft.DesktopVirtualization/hostPools +Virtual desktop application group,vdag,Microsoft.DesktopVirtualization/applicationGroups +Virtual desktop workspace,vdws,Microsoft.DesktopVirtualization/workspaces +Virtual desktop scaling plan,vdscaling,Microsoft.DesktopVirtualization/scalingPlans +Azure SQL Data Warehouse,sqldw,Microsoft.Sql/servers +Define,wadf,N/A +Design,wads,N/A +Test,wats,N/A +Deploy,wadp,N/A +Monitor,wamn,N/A +Respond,ward,N/A