forked from Azure/review-checklists
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
180 changed files
with
111,915 additions
and
75,879 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
258 changes: 258 additions & 0 deletions
258
checklists-ext/appservicewebapps_sg_checklist.zh-Hant.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,258 @@ | ||
{ | ||
"$schema": "https://raw.githubusercontent.com/Azure/review-checklists/main/checklists/checklist.schema.json", | ||
"categories": [], | ||
"items": [ | ||
{ | ||
"description": "高級應用服務計劃提供高級縮放功能,並確保在發生故障時提供冗餘。", | ||
"guid": "ad95f4ca-bd35-4ac7-a993-733c320fa4c4", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務計劃)為生產工作負載選擇應用服務計劃的高級層。 根據您的容量規劃設置最大和最小工作線程數。有關詳細資訊,請參閱應用服務計劃概述。", | ||
"type": "recommendation", | ||
"waf": "可靠性" | ||
}, | ||
{ | ||
"description": "當多個實例分佈在各個區域時,您的應用程式可以承受單個區域中的故障。流量會自動轉移到其他區域中的正常運行的實例,並在一個區域不可用時保持應用程式的可靠性。", | ||
"guid": "8a18771a-8a59-47de-905e-6e6b72f36990", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務計劃)啟用區域冗餘。請考慮預置三個以上的實例以增強容錯能力。 檢查區域對區域冗餘的支持,因為並非所有區域都提供此功能。", | ||
"type": "recommendation", | ||
"waf": "可靠性" | ||
}, | ||
{ | ||
"description": "禁用 ARR 關聯時,傳入請求將均勻分佈在所有可用節點上。均勻分佈的請求可防止流量使任何單個節點不堪重負。如果節點不可用,則可以將請求無縫重定向到其他正常運行的節點。 避免會話相關性,以確保應用服務實例保持無狀態。無狀態應用服務可降低複雜性,並確保節點之間的行為一致。 刪除粘性會話,以便應用服務可以添加或刪除實例以水平縮放。", | ||
"guid": "5a05980f-0f3f-42c2-af59-563b037aa64c", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務)請考慮禁用應用程式請求路由 (ARR) 關聯功能。ARR 關聯會創建粘性會話,將使用者重定向到處理其先前請求的節點。", | ||
"type": "recommendation", | ||
"waf": "可靠性" | ||
}, | ||
{ | ||
"description": "自動修復規則可説明您的應用程式自動從意外問題中恢復。當超出閾值時,配置的規則會觸發修復操作。 自動修復可實現自動主動維護。", | ||
"guid": "a92ea6eb-79b0-49f8-be2f-9ecbd56ca794", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務)根據請求計數、慢速請求、記憶體限制以及性能基線中的其他指標定義自動修復規則。將此配置視為擴展策略的一部分。", | ||
"type": "recommendation", | ||
"waf": "可靠性" | ||
}, | ||
{ | ||
"description": "運行狀況檢查可以及早發現問題。然後,當運行狀況檢查請求失敗時,系統可以自動採取糾正措施。 負載均衡器將流量從不正常的實例路由出去,從而將使用者定向到正常運行的節點。", | ||
"guid": "8804a347-b18e-4dce-88b6-9beee13dc12b", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務)開啟健康檢查功能,並提供回應健康檢查請求的路徑。", | ||
"type": "recommendation", | ||
"waf": "可靠性" | ||
}, | ||
{ | ||
"description": "應用程式從 Key Vault 檢索機密,以驗證來自應用程式的外部通信。Azure 管理標識,不需要預配或輪換任何機密。 對於控制的粒度,您具有不同的身份。如果身份遭到洩露,不同的身份使吊銷變得容易。", | ||
"guid": "ffcc54ba-464e-4ad4-b96c-de8a6959ba61", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務)將託管標識分配給 Web 應用。若要保持隔離邊界,請不要在應用程式之間共用或重複使用標識。 如果使用容器進行部署,請確保安全地連接到容器註冊表。", | ||
"type": "recommendation", | ||
"waf": "安全" | ||
}, | ||
{ | ||
"description": "自定義域使用傳輸層安全性 (TLS) 協定通過 HTTPS 實現安全通信,從而確保對敏感數據的保護並建立使用者信任。", | ||
"guid": "d0450dd8-5e4e-45a2-ae67-83de17e9932c", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務)為應用程式配置自定義域。 禁用 HTTP 並僅接受 HTTPS 請求。", | ||
"type": "recommendation", | ||
"waf": "安全" | ||
}, | ||
{ | ||
"description": "使用此功能時,您不必在應用程式代碼中使用身份驗證庫,從而降低了複雜性。當請求到達應用程式時,用戶已經過身份驗證。", | ||
"guid": "b2b6b6df-7bd0-4394-a6df-86c3a15bcaf7", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務) 評估應用服務內置身份驗證是否是對存取應用程式的使用者進行身份驗證的正確機制。應用服務內置身份驗證與 Microsoft Entra ID 集成。此功能處理跨多個登錄供應商的令牌驗證和使用者身份管理,並支援 OpenID Connect。使用此功能時,您沒有細粒度級別的授權,並且沒有測試身份驗證的機制。", | ||
"type": "recommendation", | ||
"waf": "安全" | ||
}, | ||
{ | ||
"description": "獲得使用 Azure 虛擬網路的安全優勢。例如,應用程式可以安全地訪問網路內的資源。 添加專用終結點以幫助保護應用程式。專用終結點限制了對公共網路的直接暴露,並允許通過反向代理進行受控訪問。", | ||
"guid": "bc1fd50b-a78a-44e6-bbd6-db1c75fa8fdd", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務)為虛擬網路整合配置應用程式。 對應用服務應用使用專用終結點。阻止所有公共交通。 通過虛擬網路集成路由容器映射拉取。來自應用程式的所有傳出流量都通過虛擬網路。", | ||
"type": "recommendation", | ||
"waf": "安全" | ||
}, | ||
{ | ||
"description": "我們不建議將基本身份驗證作為安全部署方法。Microsoft Entra ID 採用基於 OAuth 2.0 令牌的身份驗證,該身份驗證提供了許多優勢和增強功能,可解決與基本身份驗證關聯的限制。 策略限制對應用程式資源的訪問,僅允許來自特定域的請求,並保護跨區域請求。", | ||
"guid": "aed08f98-d32e-43c4-8879-e2a3640ec82a", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務)要實施強化,請執行以下操作: - 禁用使用使用者名和密碼的基本身份驗證,以支持基於 Microsoft Entra ID 的身份驗證。 - 關閉遠端調試,以便不打開入站埠。- 啟用 CORS 策略以收緊傳入請求。 - 禁用 FTP 等協定。", | ||
"type": "recommendation", | ||
"waf": "安全" | ||
}, | ||
{ | ||
"description": "機密與應用的配置分開保存。應用設置在靜態時進行加密。 應用服務還管理機密輪換。", | ||
"guid": "ed800519-baa0-449d-8c29-c5fae194116a", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務)始終使用 Key Vault 引用作為應用設置。", | ||
"type": "recommendation", | ||
"waf": "安全" | ||
}, | ||
{ | ||
"description": "為在應用服務計劃中運行的資源獲取實時保護。防範威脅並增強整體安全態勢。", | ||
"guid": "4c020315-db82-4fd8-a3da-8f2b80bd5b4f", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務計劃)為應用服務啟用 Microsoft Defender for Cloud。", | ||
"type": "recommendation", | ||
"waf": "安全" | ||
}, | ||
{ | ||
"description": "日誌記錄捕獲訪問模式。它記錄相關事件,這些事件提供有關使用者如何與應用程式或平臺交互的寶貴見解。這些資訊對於問責制、合規性和安全性目的至關重要。", | ||
"guid": "a1278dd3-3ed5-43b3-9544-69ccd3694db1", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務計劃)啟用診斷日誌記錄並向應用添加檢測。日誌將發送到 Azure 儲存帳戶、Azure 事件中心和 Log Analytics。有關審核日誌類型的更多資訊,請參閱支援的日誌類型。", | ||
"type": "recommendation", | ||
"waf": "安全" | ||
}, | ||
{ | ||
"description": "與較高級別相比,「免費」和“基本”級別對預算友好。它們為不需要高級計劃的全部功能和性能的非生產環境提供了經濟高效的解決方案。", | ||
"guid": "73ebf138-84db-4fcf-9829-c3196790bb4b", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務計劃)對於較低的環境,請選擇「免費」或“基本”層。我們建議將這些層用於實驗性用途。當您不再需要這些層時,請將其刪除。", | ||
"type": "recommendation", | ||
"waf": "成本" | ||
}, | ||
{ | ||
"description": "開發/測試計劃為 Azure 服務提供更低的費率,這使得它們在非生產環境中具有成本效益。 使用預留實例預付計算資源費用並獲得大幅折扣。", | ||
"guid": "e4b9b5ec-6d62-4457-8225-98070a48f1f0", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務計劃)利用折扣並探索以下優惠定價: - 使用開發/測試計劃降低環境。 - 在高級 V3 層和應用服務環境中預配的專用計算的 Azure 預留和 Azure 節省計畫。 將預留實例用於具有可預測使用模式的穩定工作負載。", | ||
"type": "recommendation", | ||
"waf": "成本" | ||
}, | ||
{ | ||
"description": "您可以及早發現成本飆升、效率低下或意外費用。這種積極主動的方法可説明您提供預算控制,以防止超支。", | ||
"guid": "c3c919e3-e1ef-4566-8789-edada78d7095", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務)監視應用服務資源產生的成本。在 Azure 門戶中運行成本分析工具。 創建預算和警報以通知利益相關者。", | ||
"type": "recommendation", | ||
"waf": "成本" | ||
}, | ||
{ | ||
"description": "防止浪費,減少不必要的開支。", | ||
"guid": "a5257a31-c39f-4c09-85d0-d34edbfc0bbd", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務計劃)當需求減少時進行縮減。若要縮減,請定義縮放規則以減少 Azure Monitor 中的實例數。", | ||
"type": "recommendation", | ||
"waf": "成本" | ||
}, | ||
{ | ||
"description": "您可以及時發現問題並採取必要的措施來保持可用性和性能。", | ||
"guid": "29f5cff9-45d7-4ade-8e27-94ca0ba3b1d3", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務)監控實例的運行狀況並啟動實例運行狀況探測。設置用於處理運行狀況探測請求的特定路徑。", | ||
"type": "recommendation", | ||
"waf": "操作" | ||
}, | ||
{ | ||
"description": "診斷日誌提供有關應用行為的寶貴見解。監控流量模式並識別異常情況。", | ||
"guid": "9540f299-ca72-4849-a58a-78153436fc26", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務)為應用程式和實例啟用診斷日誌。 頻繁的日誌記錄可能會降低系統的性能,增加存儲成本,並且如果您無法安全地訪問日誌,還會帶來風險。請遵循以下最佳實踐: - 記錄正確級別的資訊。 - 設置保留策略。 - 保留對授權訪問和未經授權的嘗試的審計跟蹤。- 將日誌視為數據,並應用數據保護控制。", | ||
"type": "recommendation", | ||
"waf": "操作" | ||
}, | ||
{ | ||
"description": "應用服務會自動處理證書獲取、證書驗證、證書續訂和從 Key Vault 導入證書等過程。或者,將證書上傳到 Key Vault,並授權應用服務資源供應商訪問它。", | ||
"guid": "4a17086d-c18e-4f8e-95ec-2f2b2ec65d17", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務)利用應用服務託管證書將證書管理卸載到 Azure。", | ||
"type": "recommendation", | ||
"waf": "操作" | ||
}, | ||
{ | ||
"description": "避免停機和錯誤。 如果在交換后檢測到問題,請快速恢復到上次已知的良好狀態。", | ||
"guid": "0f0b02b2-941d-45a9-973a-74a01899a16d", | ||
"service": "App Service Web Apps", | ||
"text": "(應用服務計劃)在將暫存槽與生產槽交換應用之前,請驗證該應用在過渡槽中的更改。", | ||
"type": "recommendation", | ||
"waf": "操作" | ||
}, | ||
{ | ||
"description": "在啟用 Always On 的情況下,應用程式永遠不會卸載。", | ||
"guid": "24d94b35-de37-4c04-9aea-dec880bf216c", | ||
"service": "App Service Web Apps", | ||
"text": "當應用程式共用單個應用服務計劃時,啟用 Always On 設置。應用服務應用在空閒時自動卸載以節省資源。下一個請求會觸發冷啟動,這可能會導致請求超時。", | ||
"type": "recommendation", | ||
"waf": "性能" | ||
}, | ||
{ | ||
"description": "選擇 HTTP/2 而不是 HTTP/1.1,因為 HTTP/2 完全多路複用連接,重用連接以減少開銷,並壓縮標頭以最大程度地減少數據傳輸。", | ||
"guid": "f5d46d58-7c3f-4917-a4f1-b97aa98a00c4", | ||
"service": "App Service Web Apps", | ||
"text": "考慮將 HTTP/2 用於應用程式以提高協定效率。", | ||
"type": "recommendation", | ||
"waf": "性能" | ||
} | ||
], | ||
"metadata": { | ||
"name": "App Service Web Apps Service Guide", | ||
"state": "preview", | ||
"timestamp": "August 05, 2024", | ||
"waf": "all" | ||
}, | ||
"status": [ | ||
{ | ||
"description": "此檢查尚未查看", | ||
"name": "未驗證" | ||
}, | ||
{ | ||
"description": "有一個與此檢查關聯的操作項", | ||
"name": "打開" | ||
}, | ||
{ | ||
"description": "此檢查已經過驗證,並且沒有與之關聯的其他操作項", | ||
"name": "實現" | ||
}, | ||
{ | ||
"description": "不適用於當前設計", | ||
"name": "N/A" | ||
}, | ||
{ | ||
"description": "不需要", | ||
"name": "不需要" | ||
} | ||
], | ||
"waf": [ | ||
{ | ||
"name": "安全" | ||
}, | ||
{ | ||
"name": "成本" | ||
}, | ||
{ | ||
"name": "成本" | ||
}, | ||
{ | ||
"name": "可靠性" | ||
}, | ||
{ | ||
"name": "可靠性" | ||
}, | ||
{ | ||
"name": "安全" | ||
}, | ||
{ | ||
"name": "性能" | ||
}, | ||
{ | ||
"name": "操作" | ||
}, | ||
{ | ||
"name": "操作" | ||
}, | ||
{ | ||
"name": "性能" | ||
} | ||
], | ||
"yesno": [ | ||
{ | ||
"name": "是的" | ||
}, | ||
{ | ||
"name": "不" | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.